Firewall – How to setup a Firewall without NAT

firewallipnat;sonicwall

We have 16 IP addresses from our ISP, and are setting up a SonicWall Firewall. I'd like to have the SonicWall do NAT for the LAN, but act as a firewall only (no NAT) for the servers which are using some of the 16 addresses. How do I set this up? If I set the WAN's subnet to include the 16 IPs, the SonicWall won't route the traffic to the LAN interface. Should I set the WAN subnet to only include the ones we are dedicating for NAT, and then keep the others on the LAN?

Related point: How can I set multiple IP addresses for a SonicWall LAN interface?

CLARIFICATION: The servers are not NAT'd; they're using their public IPs directly.

Best Answer

As Tom suggested in the comments, what you need to do is setup a static 1:1 NAT for your (I hope) DMZ'ed public-facing servers. Your source NAT (many-to-one likely) will allow your LAN subnet to NAT out as one of your /16 accordingly.

For example:

LAN subnet: 192.168.0.0/24
DMZ subnet: 192.168.1.0/24
WAN subnet: 200.200.200.0/16

By setting up your LAN and your DMZ networks on separate subnets (whether you use VLANs or a separate interface on your firewall; it should have a "DMZ" or "Optional" interface), which are routed and filtered by your firewall, you can now setup 1:1 NAT to statically assign a DMZ address to a public address, but also have filtering setup to permit inbound traffic from the Internet and from your LAN (and vice-versa, say if one of your servers needs to talk to a Domain Controller internally) on only the ports and source IP addresses you wish.

To the rest of the world, your servers appear to be on the "outside", but they're really isolated to/from the Internet and to/from your LAN, improving security by allowing you to create inbound rules for Internet traffic but also outbound rules to say only permit a Webserver from accepting established inbound 80/443 connections, but not allowing it to initiate outbound connections to any TCP/UDP port (and thus adding a layer of defense against zombified botnet traffic, or spam bots, etc. should your Webserver because compromised).

If your servers are NOT behind your firewall, you get no benefit of firewalling, centralized firewall logging, etc. and that's not a Good Thing.

Update to respond to your example

That's exactly what I was talking about; in your case, 192.168.1.50 isn't addressable from the outside, so there's absolutely no way it can be accessed, unless you explicitely forward some external IP/port to it.

Iptables – Public IP behind NAT firewall

You can do this by making a smaller subnet. So for example, if you have a /24 network, you can carve out a small block from this subnet such as a /29 network.

For example if 8.8.8.0/24 was your public network. You could use a second interface with 8.8.8.240/29. You would then have 8.8.8.241 assigned to that interface and that would be the gateway for clients. You would then have 5 remaining ips you could use.

[kbrandt@alpine: ~] ipcalc 8.8.8.240/29
Address:   8.8.8.240            00001000.00001000.00001000.11110 000
Netmask:   255.255.255.248 = 29 11111111.11111111.11111111.11111 000
Wildcard:  0.0.0.7              00000000.00000000.00000000.00000 111
=>
Network:   8.8.8.240/29         00001000.00001000.00001000.11110 000
HostMin:   8.8.8.241            00001000.00001000.00001000.11110 001
HostMax:   8.8.8.246            00001000.00001000.00001000.11110 110
Broadcast: 8.8.8.247            00001000.00001000.00001000.11110 111
Hosts/Net: 6                     Class A

Even though you might have the /24 network on a different interface that overlaps with the /29, that doesn't matter because the more specific (you might think of it as smaller) route always wins. Keep in mind that when you do this you lose 2 usable ip address, one for the network and one for the broadcast.

Learning to subnet is a worthwhile skill, we have our own sort of Mega answer on that at How does IPv4 Subnetting Work?.

The other option is to not do any NAT for IP blocks and only use NAT for specific IPs. This works fine because NAT rules will take precedence as they happen before routing.

Best Answer

Related Solutions

Security – NAT as a firewall

Update to respond to your example

Iptables – Public IP behind NAT firewall

Related Topic