Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
1071 Views 3 Replies Latest reply: Dec 17, 2012 5:24 AM by PhilM RSS
ralzaga Apprentice 55 posts since
Apr 13, 2012
Currently Being Moderated

Dec 11, 2012 2:05 AM

MFE and AZtech modem/wireless router, PPPoE and deployment

Hi,

  I have an Aztech Modem/Wireless Router, and I wanted to deploy McAfee Firewall Enterprise. Below are my concerns.

 

1.) What is the best thing to do:

    a.) Place firewall behind the Aztech modem/Wiresless router?

    b.) Place the firewall in front of Aztech modem/wireless router?

 

2.) I have tried to place the firewall in front the Aztech modem/wireless router but it cannot dial PPPoE when I configured it in the terminal. It cannot get an IP Address from the ISP.

 

3.) I have tried to place the firewall behind the Aztech modem/wireless router but the network behind the firewall cannot pass throught the firewall. I already created rules to allow protocols from internal to external.The only thing that has internet is the firewall. Below are the information.

 

Aztech Modem Router

 

services: DNS server and DHCP server

Public IP - PPPoE with static IP

LAN IP - 192.168.0.1

 

 

McAfee Firewall Enterprise

 

External Public IP - 192.168.0.2

Internal IP - 192.168.1.1

Gateway Static Routing - 192.168.0.1

DNS server - 192.168.0.1

 

Rules created:

 

Allow / NAT:

Any > from Internal to External

Internet Services > from Internal to External

DNS Resolvers > from Internal to External

 

 

3a.) If I place the firewall behind the Aztech Modem/wireless Router, how can I block the laptops that connects to the Router when it gives an IP of 192.168.0.0/24 network?

  • PhilM Champion 528 posts since
    Jan 7, 2010

    As the Aztech is providing the physical connectivity it will need to be located outside the Firewall.

     

    But, by doing this you simply won't be able to apply any form of control to the wireless. If you still need wireless functionality, but with the users located on the inside of the McAfee Firewall, you will need to disable wireless on the Aztech router and install a separate wireless access point on the internal network.

     

    The same applies for DNS and/or DHCP services really.

     

    In the form of the Aztech you have purchased a consolidated solution where you really need separates - a router to provide the connectivity to the ISP and then have your wireless and DHCP running separately on the internal side of MFE.

     

    -Phil.

  • PhilM Champion 528 posts since
    Jan 7, 2010

    It sounds as though your client has been sold what in the UK would be classed as a consumer (or home user) internet service. The assumption with this kind of service is that you would use a device, such as the Aztech, and not have any other Firewall in place. Therefore a single IP address is all that is required. The only possibility I can think of is to configure the PPPoE settings on the McAfee Firewall and use the Aztech purely as a physical connection device. Then the static IP would be given to the Firewall as the Aztech would be acting as a transparent device.

     

    If you search through these forums another user asked about configuring PPPoE on the McAfee Firewall and having found no reference in the manual I initially told him that it would not be possible. However, one of the McAfee support guys (it could have been sliedl) explained that it wasn't documented by was possible.

     

    Run the "man cf_interface" command and you should be able to see how the PPPoE settings are configured.

     

    Ordinarily when I am dealing with my customers and they want to implement a business-class Firewall, such as MFE, I recommend that they purchase an appropriate ISP circuit which offers a minimum /30 (255.255.255.252) subnet of IP addresses. This would give them two useable addresses - one would be assigned to the router and the other would be the external address of the MFE appliance.

     

    -Phil.

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points