Getting Started: Layer 3, NAT, and DHCP

I've unpacked my firewall and did what you told me, now what?

 

In the previous installment, Getting Started—Preparing the Firewall, I've unpacked my firewall, now what?, we described the first steps after unpacking your firewall and getting it up and running. This week, we'll take a look at where to go from here and configure Layer 3 interfaces, set up proper routing, and enable NAT so the firewall can function as an internet gateway.

 

 

Before we get started, I'll outline a few things that may be different in your network that you'll want to note:

 

In the examples below, my ISP has assigned me the internet IP subnet of 198.51.100.0/28 which I want to start using on the untrust interface of the firewall instead of the router. To achieve this, NAT will need to be disabled and maybe some other things need to be changed to accomplish this. As the steps to accomplish this will vary, depending on several factors, you may need some assitance from your ISP to reconfigure your router. As it is not absolutely necessary to use a public IP range, you can simply keep using the IP range your ISP provided.

 

Please note these parameters for your network:

My router's IP will be: 198.51.100.1

My firewall's IP will be: 198.51.100.2

My firewall's internal IP will be: 10.0.0.1

My client's DHCP range will be: 10.0.0.50-10.0.0.250

 

 

1. Preparing the zones

 

To get started, we'll first reconfigure the zones we're currently using for our Virtual Wire so we can reuse the same zones. If you prefer to change the names, you can make new zones or simply rename the existing ones.

 

1. Navigate to the Network tab.
2. Open Zones from the left pane.
3. Proceed to open the trust zone objects and change the Type to Layer3, then click OK. Repeat this for the untrust zone.

 

 

Don't worry if the interfaces box is empty after this change—we'll fix that in the next step.

 

2. Preparing the interfaces

 

1. Navigate to the Network tab.
2. Open Interfaces from the left pane. We'll see our 2 VWire interfaces that are already connected to the internet but are currently lacking zone configuration, due to the step above.
3. Start by opening ethernet1/1, which will be our external, or untrust, interface. 

 

 

On the Interface Type dropdown, change Virtual Wire to Layer3.

 

 

Next, set the Virtual Router to default and the Security Zone to untrust.

 

Next we'll add an IP address to the interface.

1. Navigate to the IPv4 tab.
2. Click Add.
3. Enter the external IP address your ISP provided.

 

Click OK and proceed to ethernet1/2. Set the Interface to Layer3, Virtual Router to default and Security Zone to trust.

 

In the IPv4 tab, set the IP address of the interface to 10.0.0.1/24 and open the Advanced tab.

 

In this tab, we're going to set a Management Profile which will allow us to ping the interface, which might come in handy if we ever need to troubleshoot internal network issues. In the Management Profile dropdown, click the Management Profile link:

 

For now, we will only allow the ping service on the interface.

 

Return to the interfaces page by clicking OK on the two configuration dialogs. The interfaces page should now look like this:

 

3. Configuring routing

 

Next, we need to make sure the firewall will be able to reach the Internet, so it will need a default gateway.

1. Navigate to the Network tab.
2. Open Virtual Routers from the left pane.
3. Open the default VR (virtual router).

 

 

 

This will bring up the configuration for the Virtual Router we will be using for our new Layer 3 interfaces. It is called a virtual router because the firewall does not employ one single routing instance, but can have several, all bound to different interfaces. This allows for routing instances to be very different from each other, and makes network segregation at the routing level possible. For now, we'll stick to the one we have:

 

 

Add a static route.

1. Open Static Routes from the left pane.
2. Click Add to start a new route.

 

 

We'll set the destination to 0.0.0.0/0, which encompasses all IP subnets that are not connected to the firewall and the egress interface to ethernet1/1 as this is the outside interface connected to the internet router. Lastly we'll set the router's IP address as the next hop.

 

 

4. Configuring DHCP

 

Our next step will be to enable a DHCP server on the trust interface so any users connecting to the network without a statically configured IP address can get connected.

 

1. Navigate to the Network tab.
2. Open DHCP from the left pane.
3. Click Add to start a new DHCP server configuration.

 

 

We'll set the interface to ethernet1/2 as this is the inside interface. To prevent duplicate IP addresses in the network in case someone has set a static IP address configuration o their workstation, we can enable Ping IP when allocating new IP.  This option sends a ping to an IP address ready to be assigned a host. In case the ping receives a reply, the DHCP server chooses a different IP to assign and repeats the step. We'll set the Lease to 1 day and the IP Pools to '10.0.0.50-10.0.0.250' to provide users with 201 IP addresses.

 

 

In the Options tab, we can configure which default gateway and DNS servers the clients receive when requesting a DHCP address. We need to set the Gateway as 10.0.0.1 as this its the firewall's internal IP address. I've set the DNS servers as Google's 4.2.2.2 and 8.8.8.8 but you can set your own ISP's DNS servers:

Click OK to complete this bit and let's move to the last part where we configure NAT.

 

5. Configuring NAT

 

The last part of this setup is to configure Network Address Translation. This will make sure all internal hosts go out to the internet using the firewall's external IP address as source. This is required as the private network IP ranges 10.0.0.0/8 , 172.16.0.0/12 and 192.168.0.0/16 are not routed on the internet and can only be used on a private network behind a NAT enabled gateway.

 

1. Navigate to the Policies tab.
2. Open NAT from the left pane.
3. Click Add to create a new NAT policy.

 We'll give the NAT rule an easy-to-identify name:

 

Next we'll go to the Original Packet tab, where we'll set the source and destination zones and the destination interface.

1. Click Add to insert a new source zone.
2. Select the trust zone from the dropdown.
3. In the destination zone, choose untrust in the dropdown.
4. For the destination interface, set ethernet1/1, as this is the outside interface.
5. Leave everything else as is and move on to the Translated Packet tab.

 

 

Lastly, from the Translated Packet tab, we will configure the Source Address Translation. Set the Translation Type to Dynamic IP And Port to ensure multiple internal clients can make simultaneous outbound connections hidden behind one IP address.

 

About the other options—

• Dynamic IP comes in handy to hide a group of IP addresses behind another group of IP addresses of equal size. This can happen if a connection is set up with a secondary network where IP addresses may overlap, or where routing to the LAN subnet is not possible.
• Static IP is usually set if a single host will have exclusive use of a NAT IP address.

 

As Address Type we'll choose to use the Interface Address

and select ethernet1/1

and select its configured IP address.

Click OK to complete the NAT configuration.

 

6. Cleanup and commit

 

One last step before we go ahead and commit this configuration is to remove the previously used Virtual Wire object.

Navigate to the Network tab and open Virtual Wires from the left pane. Once there, highlight the default-VWire and click Delete.

 

When the default-VWire is deleted, go ahead and commit the configuration.

 

7. Refresh client IP and ARP

 

We have now succesfully switched the firewall from virtual wire to Layer 3 deployment. One caveat to consider is that now the interfaces are no longer acting as a bump-in-the-wire—they have their own MAC address and some clients. Potentially, the router may need to have its ARP cache refreshed before the interfaces can succesfully communicate with the firewall.

 

On a windows host, this can be accomplished by starting a command prompt as administrator

 

and executing 'arp -d' to clear the ARP cache and 'ipconfig /renew' to obtain a DHCP lease from the new DHCP server.

 

C:\>arp -d

C:\>ipconfig /renew

Windows IP Configuration

Ethernet adapter lablan:

        Connection-specific DNS Suffix  . :
        IP Address. . . . . . . . . . . . : 10.0.0.50
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 10.0.0.1

 

I hope you enjoyed this article. Please feel free to leave any comments below!

 

Regards,

Tom Piens

 

If you've enjoyed this article, please also take a look at the follow-up articles:

I've unpacked my firewall and want to configure VLANs — subinterfaces

I’ve unpacked my firewall, but where are the logs?