Reply
Emerging Member
Posts: 54
Registered: ‎02-13-2014
Kudos: 5
Solutions: 1
Accepted Solution

Hardware Firewall Before or After EdgeRouter Pro

[ Edited ]

I just bought a new WatchGuard Firebox for my house, I know, this is over kill but I'm doing this to learn. There seems to be a lot of mixed opinions on the Internet about whether the firewall should be placed before or after the router. So my question is where is the best place to put it?

 

Thanks in advanced!


Accepted Solutions
Member
Posts: 138
Registered: ‎10-18-2013
Kudos: 56
Solutions: 6

Re: Hardware Firewall Before or After EdgeRouter Pro

From a security perspective it doesn't make sense to route between networks without proper firewalling. You use network segementation because you want to secure networks / devices against each other, leaving not a lot of room for compromises.

 

What the ER lacks compared to the Watchguard is visibility. Have you setup a Dimension VM and monitored what is (not) going through your appliance? Do you have a basic or total security suite for your T10 and do you have it all setup properly? That's when the fun begins!

You wouldn't go back to a device you have no idea of what it does right now, or did last night / week, that has no utm capability at all, etc.

 

Yes, when it comes to routing speed (e.g. between VLANs) the ER Pro easily burns a T10. But what is speed without control? We use ER Pros strictly as routers in our public networks. The included firewalling functionality is only used to protect it from outside access. 

 

But infront of our office's network (and between our different internal network segements), in front of our public servers, etc. there are utm appliances (clusters), are all reporting to Dimension instances for reports, data mining, incident tracking, diagnostics, etc.

 

And of course a T10 is and entry level utm product. It can handly typical low- and mid sized uplinks with utm features and the classic internal and guest wifi vlans. The M series rackmount products are whole different beasts...

 

Keep in mind, ER stands for Edge Router, not Unified Threat Management Firewall.

View solution in original post


All Replies
Member
Posts: 133
Registered: ‎02-28-2016
Kudos: 18
Solutions: 6

Re: Hardware Firewall Before or After EdgeRouter Pro

[ Edited ]

That's cool that you want to learn, heck I just bought a UAP Pro and installed the unifi software onto a freenas jail to learn as well, so it's all cool there.

 

Anywho,

 

this is all depending upon what you are trying to do exactly.  the ER pro ip-tables firewall is just fine for most purposes.  In the real world the only real reason you ever use a true firewall appliance is if you need a particular featureset to meet a business requirement such as inline Snort IDS/IPS, deep packet inspection, etc..

 

you're really just wanting to play with the equipment, do whatever you want with it and have fun learning.  Firewalls are generally going to be your WAN facing equipment UNLESS you are terminating to a T1/T3/SONET then you need a router or another piece of equipment that can have a serial card adaptor/slot (expensive).

 

Have fun!

Regular Member
Posts: 434
Registered: ‎08-03-2013
Kudos: 101
Solutions: 12

Re: Hardware Firewall Before or After EdgeRouter Pro

[ Edited ]

justindebusk wrote:

I just bought a new WatchGuard Firebox for my house, I know, this is over kill but I'm doing this to learn. There seems to be a lot of mixed opinions on the Internet about whether the firewall should be placed before or after the router. So my question is where is the best place to put it?


Routing is first and firewall is second.

 

So in your scenario you would place the watchguard in bridge mode --- this turns the watchguard routing engine off.

\

The WatchGuard Firebox  is both a router and a subscription based firewall and its combined performance as an integrated router firewall appliance is remarkably outstanding. The Watchguard has a much superior hardware processor and ASICS --- there really would be no competitive comparison to the Ubiguiti lineup as it currently stands IMO.

David Mozer
IT-Expert on Call
Emerging Member
Posts: 80
Registered: ‎04-21-2015
Kudos: 24
Solutions: 4

Re: Hardware Firewall Before or After EdgeRouter Pro


XanALaOM00 wrote:

... Firewalls are generally going to be your WAN facing equipment UNLESS you are terminating to a T1/T3/SONET then you need a router or another piece of equipment that can have a serial card adaptor/slot (expensive).

 


And even with PPPoE (RJ45 gigabit copper) would be good idea to use router with firewall, if router support hardware PPPoE offloading (EdgeRourter), and firewal not (Fortinet).

Member
Posts: 138
Registered: ‎10-18-2013
Kudos: 56
Solutions: 6

Re: Hardware Firewall Before or After EdgeRouter Pro

I'm a Watchguard ONE Gold Partner and wondering, why you would use a Firebox and an Edgerouter simoultaneously in a home environment. What is your setup and what are you trying to accomplish?

 

 

We're also a local fiber ISP and use ER-X SFPs as CPE. For our business customers they're usually set up as media converters (L2 switching between the fiber and one copper port), so they are completely transparent and our custoemrs can use whatever router / UTM firewall they have behind that.

Emerging Member
Posts: 54
Registered: ‎02-13-2014
Kudos: 5
Solutions: 1

Re: Hardware Firewall Before or After EdgeRouter Pro

[ Edited ]

Urinella wrote:

I'm a Watchguard ONE Gold Partner and wondering, why you would use a Firebox and an Edgerouter simoultaneously in a home environment. What is your setup and what are you trying to accomplish?

 

 

We're also a local fiber ISP and use ER-X SFPs as CPE. For our business customers they're usually set up as media converters (L2 switching between the fiber and one copper port), so they are completely transparent and our custoemrs can use whatever router / UTM firewall they have behind that.



My setup at the moment is as follows:

 

     Network (Using the SPFs to uplink all the switchs and routers): 

 

          2 24 port EdgeSwitchs (4 VLANS setup)

          1 EdgeRouter Pro (Internet and VLAN routing setup)

          WatchGuard Firebox T10 (new firewall)

 

     Servers:

 

          Active Directory, DHCP & DNS

          2 Hyper-V

 

Mainly I'm doing this so I can learn how all these devices work together and independently of each other. My goal at the moment is to split the routing and firewalling to two different devices. What I'm trying to figure out is what is the best or common practice way of setting this up.

 

I hope that this has answered you question and given you a little more insight to what I'm trying to do.

 

Thank you to everyone that has responded so far!

Emerging Member
Posts: 54
Registered: ‎02-13-2014
Kudos: 5
Solutions: 1

Re: Hardware Firewall Before or After EdgeRouter Pro


XanALaOM00 wrote:

That's cool that you want to learn, heck I just bought a UAP Pro and installed the unifi software onto a freenas jail to learn as well, so it's all cool there.

 

Anywho,

 

this is all depending upon what you are trying to do exactly.  the ER pro ip-tables firewall is just fine for most purposes.  In the real world the only real reason you ever use a true firewall appliance is if you need a particular featureset to meet a business requirement such as inline Snort IDS/IPS, deep packet inspection, etc..

 

you're really just wanting to play with the equipment, do whatever you want with it and have fun learning.  Firewalls are generally going to be your WAN facing equipment UNLESS you are terminating to a T1/T3/SONET then you need a router or another piece of equipment that can have a serial card adaptor/slot (expensive).

 

Have fun!


Thanks for the reply!

 

Yea, I have a couple of old UniFi indoor and outdoor 802.11n access points (they need upgrading), they were a lot of fun setting up and learning how they work. I don't think I could ever go back to using consumer grade access points or network products again. In fact those access points were my first exposure to their hardware and I have been using them ever since for all my network needs.

Emerging Member
Posts: 54
Registered: ‎02-13-2014
Kudos: 5
Solutions: 1

Re: Hardware Firewall Before or After EdgeRouter Pro


mozerd wrote:

justindebusk wrote:

I just bought a new WatchGuard Firebox for my house, I know, this is over kill but I'm doing this to learn. There seems to be a lot of mixed opinions on the Internet about whether the firewall should be placed before or after the router. So my question is where is the best place to put it?


Routing is first and firewall is second.

 

So in your scenario you would place the watchguard in bridge mode --- this turns the watchguard routing engine off.

\

The WatchGuard Firebox  is both a router and a subscription based firewall and its combined performance as an integrated router firewall appliance is remarkably outstanding. The Watchguard has a much superior hardware processor and ASICS --- there really would be no competitive comparison to the Ubiguiti lineup as it currently stands IMO.


Thanks for your reply!

 

From everything I have read the EdgeRouter Pro is still better then the WatchGuard I bought. Is the WatchGuard Firebox T10 better then the EdgeRouter Pro?

Member
Posts: 138
Registered: ‎10-18-2013
Kudos: 56
Solutions: 6

Re: Hardware Firewall Before or After EdgeRouter Pro

From a security perspective it doesn't make sense to route between networks without proper firewalling. You use network segementation because you want to secure networks / devices against each other, leaving not a lot of room for compromises.

 

What the ER lacks compared to the Watchguard is visibility. Have you setup a Dimension VM and monitored what is (not) going through your appliance? Do you have a basic or total security suite for your T10 and do you have it all setup properly? That's when the fun begins!

You wouldn't go back to a device you have no idea of what it does right now, or did last night / week, that has no utm capability at all, etc.

 

Yes, when it comes to routing speed (e.g. between VLANs) the ER Pro easily burns a T10. But what is speed without control? We use ER Pros strictly as routers in our public networks. The included firewalling functionality is only used to protect it from outside access. 

 

But infront of our office's network (and between our different internal network segements), in front of our public servers, etc. there are utm appliances (clusters), are all reporting to Dimension instances for reports, data mining, incident tracking, diagnostics, etc.

 

And of course a T10 is and entry level utm product. It can handly typical low- and mid sized uplinks with utm features and the classic internal and guest wifi vlans. The M series rackmount products are whole different beasts...

 

Keep in mind, ER stands for Edge Router, not Unified Threat Management Firewall.

New Member
Posts: 8
Registered: ‎07-09-2014
Kudos: 2

Re: Hardware Firewall Before or After EdgeRouter Pro

I have a similar situation where I have a small computer lab with a handful of Chromeboxes, these are then attached to a router/wap device and then to an Untangle VM for webfiltering and bandwidth limiting, ad blocking and such. I had to use this design for my wifi users to get filtered but it has a pretty big draw back.

 

Not sure if it would be the case with your software as I've never used watchguard products, or what I'd call a proper UTM appliance before but in my case, Untangle is completely blind to my devices. Everything comes from the router IP, so if any suspicious traffic were to happen, I'd really have no way to determine what device it was coming from. Not a huge issue for me as it's just making sure users aren't accessing porn in our computer lab, but something to be aware of or test if its the case with your equipment, where you actually want insight into what device is doing what.

 

The cool thing is you can test both in front and behind the router and see first-hand what the differences are.

Emerging Member
Posts: 54
Registered: ‎02-13-2014
Kudos: 5
Solutions: 1

Re: Hardware Firewall Before or After EdgeRouter Pro

[ Edited ]

Urinella wrote:

From a security perspective it doesn't make sense to route between networks without proper firewalling. You use network segementation because you want to secure networks / devices against each other, leaving not a lot of room for compromises.

 

What the ER lacks compared to the Watchguard is visibility. Have you setup a Dimension VM and monitored what is (not) going through your appliance? Do you have a basic or total security suite for your T10 and do you have it all setup properly? That's when the fun begins!

You wouldn't go back to a device you have no idea of what it does right now, or did last night / week, that has no utm capability at all, etc.

 

Yes, when it comes to routing speed (e.g. between VLANs) the ER Pro easily burns a T10. But what is speed without control? We use ER Pros strictly as routers in our public networks. The included firewalling functionality is only used to protect it from outside access. 

 

But infront of our office's network (and between our different internal network segements), in front of our public servers, etc. there are utm appliances (clusters), are all reporting to Dimension instances for reports, data mining, incident tracking, diagnostics, etc.

 

And of course a T10 is and entry level utm product. It can handly typical low- and mid sized uplinks with utm features and the classic internal and guest wifi vlans. The M series rackmount products are whole different beasts...

 

Keep in mind, ER stands for Edge Router, not Unified Threat Management Firewall.


Thank you for your response!

 

No, I don't have a Dimension VM setup, but I'm defiantly going to be looking into getting one setup. Please remember this is new to me so I am still learning about this stuff. No, I don't have total security for my T10 at the moment but it is something I might do in the future. Once I get the T10 up and running I am going to be looking at getting WatchGuard M200 (this will be in the far future, unless I can get a good price on one.). Right now I am focusing on getting the T10 setup and working as a firewall & router. When that is done I will work on getting the EdgeRouter setup behind the T10 to do the routing. I had the T10 set up and mostly working this weekend but was having problem with some of my devices not working right and have had to switch back to my EdgeRouter for the time being. I plan on taking another look at it tonight.

 

I knew the EdgeRouter wasn't a Unified Threat Management Firewall. My goal was just trying to get the best way to setup all this equipment.

 

Again thank you for your insight I really appreciate it.

Reply