Solved: Re: Second Router / Firewall

Jon_AK · ‎2023-04-07

I just received our Quantum Spark 1575 appliance and would like to request some insight from you folks. We currently have a UDM Pro SE as our firewall/router which connects directly to our ISP. I want to maintain this appliance for the simplicity it offers for maintaining the Unifi AP wireless devices currently connected to it along with any additional wireless devices such as phones etc. I want to place the CP1575 facing the internet & connect the UDMP as our second firewall / router to maintain the wireless network. I have seen a lot of articles where people get lectured to not use a second firewall and vice-versa and several "security" experts advocating the use of a second firewall. I chose the latter. Enough said....

The physical cable connection has been shown different ways. One method depicts a LAN port to LAN port connection as a dynamic DHCP address issued by the upstream router on the 192.168.1.0 network and a second cable from LAN port to WAN port with a static ip set as 192.168.1.2 for the downstream router with the downstream router also being a DHCP server but for a172.16.1.0 network. The reasoning behind this method was so the UDMP could still get it's firmware updates directly from Ubiquity.

Our LAN is a Windows AD server, 192.168.1.0 network that also serves as a web server to host our ERP & website as well a file server. What is the recommended method for connecting these two appliances together and implementing network changes that will most likely have to occur?

PhoneBoy · ‎2023-04-11

Yes, which means the WAN port needs to be connected to something that provides Internet access.
That can be the LAN port of the 1575, assuming you haven't configured a specific Access Policy to block this traffic.

View solution in original post

PhoneBoy · ‎2023-04-07

There's nothing inherently wrong with using multiple firewalls.
In some cases, it might be overkill, though.

How you connect these devices together really depends on your precise segmentation requirements.
More specifically: what needs to talk to what.
A current network diagram would also be helpful.

Jon_AK · ‎2023-04-08

Segment the internal LAN from the wireless and placing a Windows Server 2019 VM which houses the ERP with reverse proxy in the DMZ. The LAN clients & my laptop need to talk to the ERP for daily business & the ERP has to provide access to outside customers for ecommerce but the Postgres database the ERP stores its information really needs to be behind the second firewall. The wireless does not need access to the LAN except for one device...my laptop, the remainder of the LAN all need to talk to each other and have internet access.

Right now I have the ISP on the WAN port of the 1575, port 1 of the 1575 going to the WAN port of the UDMP, port 2 of the 1575 going to port 1 of the UDMP, wireless devices are landed on ports 6 - 8 of the UDMP and a dumb switch for the internal LAN on port 3 of the 1575. All the clients are obtaining internet through the 1575 but I need to get internet to the WAN port of the UDMP in order for it to perform updates of it's firmware.

PhoneBoy · ‎2023-04-10

What precise access does the UDMP need to perform firmware updates?
In most cases, just allowing outbound Internet access from that device should suffice.
If the device needs to be externally reachable on a specific TCP/UDP port(s), set up a "Server" object for it with the relevant ports configured.

Jon_AK · ‎2023-04-11

@PhoneBoy wrote:
What precise access does the UDMP need to perform firmware updates?
My understanding from a couple posts I read is it apparently checks for its updates via its WAN port. I have not verified this with Ubiquity support, just accepted that is what is needed. Currently, I set it on its own port on its own network.
I am still becoming familiar with the CP appliance and using the UDMP as a second firewall. For me, it's a big learning experience so having to rely upon learning material. Appreciate all of your input.

PhoneBoy · ‎2023-04-11

Yes, which means the WAN port needs to be connected to something that provides Internet access.
That can be the LAN port of the 1575, assuming you haven't configured a specific Access Policy to block this traffic.

Jon_AK · ‎2023-04-11

In the beginning, I connected the UDMP WAN port to LAN1 of the CP but even though there were no rules restricting internet access, the UDMP showed no internet connection. It wasn't until I specifically set the CP port as a separate network that the UDMP responded. Since then, all has been working fine. Am satisfied with the CP appliance, it gives a lot of information in the logs and configuration has been mostly straightforward although as I indicated earlier, am still learning the ins & outs of how the different parts of the appliance operate. Thanks PhoneBoy & Rock...

the_rock · ‎2023-04-11

Well, we are happy to hear you like it, its nice appliance for small/medium business.

Cheers,

Andy

the_rock · ‎2023-04-11

I dont think this has anything to do with CP in particular, it would be same if you had any other vendor. As @PhoneBoy said in his response, you could have LAN (probably default LAN 1 port of CP appliance) connected to WAN of the other appliance.

the_rock · ‎2023-04-08

I agree with phoneboy. If you send us basic network diagram (even simple windows paint drawing would do, just blur out any sensitive info), we can help you better.

Andy

Are you a member of CheckMates?

Second Router / Firewall