0

For the last years we've been using a Sonicwall PRO 2040 firewall in a relatively small hosting environment. But we want to upgrade to a faster box which also support IPv6 and preferably we'd like to stay with Sonicwall (as it has served us well over the years) and upgrade to a NSA 2400.

All this time we have run this firewall in so called 'transparent mode'. This way the firewall is completely transparent to the network (i.e. servers) behind the firewall but still the firewall protects the network. Servers that are behind the firewall are configured as if the firewall is not there, e.g. the gateway address is that of a router outside of the firewall. This, in combination with VLAN's (*), allows us to host each server separately from each other in the most transparent way to the customers.

(*) Explanation: On the firewall, we have created virtual interfaces for each server and tagged it with a VLAN. All these virtual interfaces use a single physical interface which is connected to a switch. This switch is configured with these VLAN's as well and separates all traffic into individual physical ports. E.g. traffic for VLAN 5 only goes to physical port 5, traffic for VLAN 8 only goes to physical port 8, etc. The only common port is the port to which the firewall is connected. This ensures that the servers cannot communicate with each other directly, only through the firewall, even though they are in the same IP network space.

Now that we are moving to a new IP address space and also want to support IPv6 we are rethinking our solution. One reason for that is that transparent mode support for IPv6 seems to be very rare or non-existing at all. So if we want to support IPv6 we have to use routed mode. With this, all kind of questions pop up and hopefully some can help me with some opinions and/or answers.

  • Is routed or transparent mode used more commonly for IPv4?

  • Can we use transparent mode on IPv4 and use routed mode on IPv6 or do we have to use routed mode on IPv4 as well?

  • Using routed mode, if our IP range is X.X.X.0/26 (i.e. 64 consecutive IP addresses) and the data center gateway we have to use is X.X.X.1, do we then put the WAN of the firewall on X.X.X.2 and the internal port on X.X.X.3 and then configure the servers to use X.X.X.3 as the gateway address?

  • Is it correct that in routed mode the firewall always needs a minimum of two IP addresses (for the internal and external interfaces) while in transparent mode the firewall only needs a single IP address (WAN) ?

  • Will we still be able to separate all servers by putting them all into their own VLAN, requiring all traffic between the servers to pass through the firewall? If so, what will the subnet mask have to be? I.e. what we don't want to do is put each server into it's own IP network segment as this would costs us 4 IP addresses per server (network, broadcast, gateway and the server itself).

  • Is there any advantages to using routed mode over transparent mode? Or the other way around?

Marco Miltenburg
  • 1,121
  • 8
  • 9
  • To clarify, it's a single firewall, we're replacing the old firewall with a new firewall, so it's not intended to become an high availability configuration. – Marco Miltenburg Sep 26 '12 at 21:34
  • Then your firewall would only use one IP address in each segment, but on the public segment, the rest applies. The provider would use the first, you would use the second, and then you would NAT the rest. – SpacemanSpiff Sep 27 '12 at 20:44

1 Answers1

1

I dig your existing design, but it may not be scalable and if you start to virtualize your segmentation will burn a lot of ports. You could achieve it with trunking and tagging maybe going forward.

Now to answer your questions:

1) Both routes and transparent mode are common deployments, it depends on what routing equipment you have and what your NAT needs are, typically.

2) I do not think you could mix them.

3) Using routed mode, if you were given a /26 as a connected network from the provider, the firewalls would take three addresses on your public segment. One unique one for each firewall and a virtual they would pass back and forth in high availability scenario. You would have to use private IPs and utilize address translation to make this work. However, if the provider connects to you with a /29 network and ROUTES that /26 to you instead, then you could connect with the /29 network and then use the /26 on the inside interfaces.

4) The firewalls will probably need 3 IP addresses on each side actually. One unique one for each and third for VRRP failover. In transparent mode you should really only need a single inside IP for each node, just for management.

5) You would have to use a similar technique, but because you're now using HA pairs your number of cables would double. You might do better using VLAN tagging and sub-interfaces instead, but this may also cause cable congestion for server to server traffic.

6) There are advantages to both techniques, transparent mode can be nice to not have to deal with NAT, but there are limitations on what you can manipulate because you can't do as much L3/L4 decision or route traffic somewhere else because you can't route it at all.

SpacemanSpiff
  • 8,733
  • 1
  • 23
  • 35