Firewalla behind another firewall? Router-on-a-stick?
Looking at setting up a Gold in our data center behind an existing Palo Alto firewall so we can do site-to-site with a few of our small locations set up with Purples. Wondering what might be the best approach to this.
I can figure out all the protocols and ports needed to allow traffic through the Palo Alto to the Gold. Just trying to conceptualize the Gold's config.
Can I set up one of my public IP address to NAT to an internal LAN IP that I set on the Gold's LAN port and use it sort of like a router-on-a-stick? VPN tunnels would terminate into the Gold and I would add routes for subnets behind the Purples into my L3 switch to go to the Gold.
Or does the Gold need to have both the WAN and LAN ports configured in order to do any routing? If so, I could do a small subnet between the Palo Alto and the Gold so the WAN has some sort of IP address.
Last resort would be to put a switch after the ISP device and then go to both the Palo Alto and the Gold. Gold would get configured with an unused public IP on the WAN side. Was trying to avoid a switch though.
-
You need a in and a out for bridge mode, see https://help.firewalla.com/hc/en-us/articles/115004292514-How-does-Firewalla-Intercept-Traffic-Which-Firewalla-mode-to-use-#h_01F8F08QKB9B2TTXSWZSRV1AEB
-
It sounds like you can use the FWG as a simple VPN server by turning monitoring off. See https://help.firewalla.com/hc/en-us/articles/115004804933-What-can-Firewalla-Do-if-monitoring-is-off-
I've never tried it myself, but it sounds like the FWG will act as a VPN server appliance. You would need to get it an IP address in your network and set up the correct port forwardings in your router.
-
Not 100% sure that is going to work in my case.
I would want to have 2 different gateways on my L3 switch. I would have 0.0.0.0 that goes to my PA at 10.0.0.254, and these new locations behind Firewalla would go to 10.0.0.253 (Gold).
I think in the long run, instead of trying to shoehorn this in, I'm going to put in a switch ad segment out my
-
Ahhhhhh David.....that might work! I'm not looking to do any monitoring.....just allow some of these smaller locations to get into the network over site-to-site.
Either way I think I'm going to pick up a Gold and it will either be in that VPN server mode, or off an ISP/edge switch.
I think in the VPN server mode, I would still need to have both WAN and LAN connected......
-
My guess is that if monitoring is off, you would only need to connect to LAN, since the box is just working as a VPN server. But, I have never tried it, and I can't find a great description of how to set this up in the Firewalla docs, just the article I linked that says you don't need monitoring on to use the VPN Server.
Maybe Firewalla support can give you more guidance about how to set this up. Or better yet, create a page documenting how. :-)
Please sign in to leave a comment.
Comments
8 comments