I have an Aztech Modem/Wireless Router, and I wanted to deploy McAfee Firewall Enterprise. Below are my concerns.
1.) What is the best thing to do:
a.) Place firewall behind the Aztech modem/Wiresless router?
b.) Place the firewall in front of Aztech modem/wireless router?
2.) I have tried to place the firewall in front the Aztech modem/wireless router but it cannot dial PPPoE when I configured it in the terminal. It cannot get an IP Address from the ISP.
3.) I have tried to place the firewall behind the Aztech modem/wireless router but the network behind the firewall cannot pass throught the firewall. I already created rules to allow protocols from internal to external.The only thing that has internet is the firewall. Below are the information.
Aztech Modem Router
services: DNS server and DHCP server
Public IP - PPPoE with static IP
LAN IP - 192.168.0.1
McAfee Firewall Enterprise
External Public IP - 192.168.0.2
Internal IP - 192.168.1.1
Gateway Static Routing - 192.168.0.1
DNS server - 192.168.0.1
Allow / NAT:
Any > from Internal to External
Internet Services > from Internal to External
DNS Resolvers > from Internal to External
3a.) If I place the firewall behind the Aztech Modem/wireless Router, how can I block the laptops that connects to the Router when it gives an IP of 192.168.0.0/24 network?
As the Aztech is providing the physical connectivity it will need to be located outside the Firewall.
But, by doing this you simply won't be able to apply any form of control to the wireless. If you still need wireless functionality, but with the users located on the inside of the McAfee Firewall, you will need to disable wireless on the Aztech router and install a separate wireless access point on the internal network.
The same applies for DNS and/or DHCP services really.
In the form of the Aztech you have purchased a consolidated solution where you really need separates - a router to provide the connectivity to the ISP and then have your wireless and DHCP running separately on the internal side of MFE.
My client was only given 1 static IP address by the ISP. So the local IP address of the Aztech will be the gateway address of the external interface of MFE and assign a different IP on the internal interface of MFE.
It sounds as though your client has been sold what in the UK would be classed as a consumer (or home user) internet service. The assumption with this kind of service is that you would use a device, such as the Aztech, and not have any other Firewall in place. Therefore a single IP address is all that is required. The only possibility I can think of is to configure the PPPoE settings on the McAfee Firewall and use the Aztech purely as a physical connection device. Then the static IP would be given to the Firewall as the Aztech would be acting as a transparent device.
If you search through these forums another user asked about configuring PPPoE on the McAfee Firewall and having found no reference in the manual I initially told him that it would not be possible. However, one of the McAfee support guys (it could have been sliedl) explained that it wasn't documented by was possible.
Run the "man cf_interface" command and you should be able to see how the PPPoE settings are configured.
Ordinarily when I am dealing with my customers and they want to implement a business-class Firewall, such as MFE, I recommend that they purchase an appropriate ISP circuit which offers a minimum /30 (255.255.255.252) subnet of IP addresses. This would give them two useable addresses - one would be assigned to the router and the other would be the external address of the MFE appliance.