How to Establish Firewall Bridge Modem Connection over VLAN?

In the organization where I work, there was a request recently as follows. One of our units bought an ADSL modem and a TTnet subscription. However, since it is not included in the institution’s local network, it cannot benefit from the institution’s servers.

It wants to be included in the corporate network and wants to access the internet via its own adsl. Therefore, this sub-network needs to securely access the internet and benefit from the corporate network.

Vlan Bridge Mode Topology

It may come to mind to bridge the corporate network, but this is not preferred as it will cause a security gap. Because an exit to the internet will be provided without entering the firewall.

After trying a few topologies on paper, I decided to usethe “Vlan Bridge Mode topology“, that is, to connect the ADSL modem to the firewall through the switch using a VLAN tunnel. It is useful to go into a little more detail, the distance of this unit in question to the data center is 3.2Km.

There is a Single Mode Fiber Optic Cable connection between us. For this reason, I started by putting only 1 HP 2624 smart switch at that point. I will pass the Vlans as trunk through the single mode f/o cable in between.

Thus, I will communicate the devices (modem and firewall) with Trunk fiber line through the manageable switch. We will make the configuration according to this topology. You can see it in a larger version by clicking on the image.

In order to set up the structure in the topology, 1 smart switch and 1 ADSL modem with VLAN support are required on the existing network. Airties 5440, 5452, 5650 type modems have VLAN support. If you have a modem, please refer to the user manual for VLAN support.

How to Use Cisco Packet Tracer?

Let’s Start with Main Switch Configuration.

MAIN SWITCH Configuration:

Let’s connect to the main switch with SSH and go to config mode and define two VLANs. Attention commands are written according to HP E series switches. Similarly, you can adapt it to other switches.

main#> config
main(config)#> vlan 1035
main(vlan-1035)#> name modem_blok
main(vlan-1035)#> tagged a1,b1

main(vlan-1035)#> vlan 1036
main(vlan-1036)#> name ip_blok
main(vlan-1036)#> tagged a1,b2
main(vlan-1036)#> write memory
main(vlan-1036)#> exit
main(config)#>

On the main switch, we have defined both VLAN for the modem and VLAN for the user group that will access the internet with this modem. The user will communicate with VLAN1036 and the modem and switches will communicate with VLAN1035.

EDGE SWITCH Configuration:

I have 2 gigabit ports on the edge switch. We will connect port25 for Uplink and port26 to port 4 of the modem. Ports 1-24 will be made available to the user group. For this reason

port25–>VLAN1035+VLAN1036 will be member.
port26–>VLAN1035 will be untagged as
port1-24–>VLAN1036.

kenar#>config
kenar(config)#>vlan 1035
kenar(vlan-1035)#>name modem_blok
kenar(vlan-1035)#>tagged 25,26

kenar(vlan-1035)#>vlan 1036
kenar(vlan-1036)#>name ip_blok
kenar(vlan-1036)#>tagged 25
kenar(vlan-1036)#>untagged 1-24
kenar(vlan-1036)#>exit
kenar(config)#>write memory
kenar(config)#>

Thus, we also performed the Vlan configuration on the edge switch. We did not give IP to the vlans on both main and edge switches. Because we will do the routing process on the Firewall, not on Layer3. Let’s move on to the settings on the modem.

Modem Settings:

First the modem is put in Bridge mode so that we can set the connection parameters through the firewall. I have set it for Airties VDSL 5650, similarly adapt it to another modem with VLAN support.

Let’s open VLAN1035, which we opened on the switches, on the modem and define the interface. Since the modem assigns all interfaces (ports) to VLan1, which is the default VLAN by default, let’s first take port 4 from vlan 1 membership. The point to note here is that the interface corresponding to port4 is Ethernet 3. You can also see it in the picture below.

After the modem restarts, let’s press the Create New VLan button from LAN>Vlan Configuration section again and on the page that opens

Modem VLAN Settings

Vlan Name: modem_blok
Vlan Id: 1035 . Here the id part must be the same as the Vlan id we defined in the switch. Then let’s define the interface that says Ethernet-3 or Port 4 in the left column to the right side, that is, to the new vlan. save.

Let’s tag Vlan 1035 so that the modem can be seen by the switch in the Vlan protocol. For this, in LAN>Port Settings, change the setting at the end of the Port 4 line to Tag. So we are tagged.

In order for the modem running in Vlan Bridge mode to communicate over the Vlan 1035 we have defined, select the Vlan name we have defined in the Internet>Internet Settings menu in the Add this interface to this bridge section.

Finally, let’s give management ip for Vlan 1035 so that the interface can be reached on the modem. In LAN>IP and DHCP Settings, let’s give IP for the new vlan with DHCP off. It can be 10.0.35.3/255.255.255.255.0.

Modem and Switch configuration is over and now we will make our firewall settings.

FIREWALL CONF.

We will do Routing and Firewall operation on Fortigate 224B. I will explain it in an adaptable way for different model firewalls.

Incoming Interface = Port15
Outcoming Interface = Port16.

System>Interface
Let’s set IP / Mask=0.0.0.0.0/0.0.0.0 and Ping=ok for the incoming interface.

Then let’s define VLan1036 member interface for Port 15. Let’s set the settings as in the picture.

Let’s define IP / Mask= 10.0.35.1/24 and ping=ok for the outcoming port.

Let’s define Vlan 1035 member interface to enter modem connection parameters from port16. Check the PPPoE option to enter connection parameters. Let’s set it as in the picture.

Our Vlan based settings in Firewall are over. Now Routing and Webfilter settings are left.

Routing:
Let’s define a simple route in dynamic structure by specifying the incoming and outcoming ports as shown in the picture.

Web Policy:
Again, you can define it as shown in the picture below. Restrictions are completely yours.