0

I have two LANs in the same building with different ISP and both behind different hardware firewalls connected to a switch like in the first picture bellow. Before, both LANs were connected through one firewall on different ports and the firewall managed the connection between the two like in the second picture. Earlier the setup in the firewall was that I can access LAN2 from LAN1 to give support to the PCs in the LAN2, LAN2 doesn't need an access to LAN1. Later the second firewall was added and now I need the same functionality like before. I have seen something about static routing but my networking knowledge is limited and I am not sure ho to implement it or if this setup is right. I have created a static route on the firewall1 with the IP of the firewall2 and also in the firewall2 for the firewall1. Also I am not sure what to set for "Distance" and "Metrics" options on the static route in the firewalls.

FW1 IP: 100.100.1.254 // Fortinet FG-60F
FW2 IP: 100.200.1.254 // Sophos XG210

FW1 Route:
IP: 100.200.1.254;
Gateway: Interface IP;
Interface: FW Interface;

FW2 Route
IP: 100.100.1.254;
Gateway: Interface IP;
Interface: FW Interface;

pic 1

pic 2

Improve this question
2
  • 1
    Please edit your question to include the hardware models of your switches and firewalls.
    – Ron Trunk
    Commented Apr 26 at 11:50
  • @RonTrunk I have updated the firewalls and the switch is "Dell" but I don't know the model exactly, at the moment I don't have access to it.
    – p.kirkovski
    Commented Apr 26 at 12:19

2 Answers 2

Reset to default
0

Using a single switch joins both LANs into a single segment/broadcast domain. That makes it hard to control traffic between them and to separate their WAN traffic.

Accordingly, you'll need to use two separate switches or a managed switch with separate VLANs.

Using two routers, you connect everything together like with separated networks but put an additional connection between the routers (either a dedicated link or a tagged VLAN on the existing link). Set up a static route on each side for the remote LAN and configure the firewall rules to allow traffic as required. Alternatively, you could also connect one of the routers into the second LAN and control everything there.

You could also connect a single router to both LANs and use policy-based routing to separate their traffic to two WAN gateways.

The distance and metric values for the static routes are only important if you had a routing tie: multiple routes with the same prefix length to a specific destination. I don't see that here.

Improve this answer
2
  • In fact there are 3 more switches in LAN2 and one more switch in LAN1 and all are managed with total 10 VLANs I think, but on this switch are connected both LANs. That is why I thought it would be the same and the question simpler. Also each of the LANs have own domain controller. Also the WAN gateways are managed in the respective firewalls I assume as suggested, a static route would be ok. Also when I set up a firewall rule, I set up a rule for the VLAN from which I access to the other network, right? i.e. I am in VLAN1 behind FW1 and on the FW2 I set up a rule for VLAN1.
    – p.kirkovski
    Commented Apr 26 at 15:58
  • You set up rules for traffic you want to permit. By default, traffic without express permission is denied.
    – Zac67
    Commented Apr 26 at 16:34
0

The normal way to do this with 2 separate networks, firewalls and internet services is to simply create a VPN between the 2 firewalls with the access policy that provides the access you need. Both firewalls you mention should have support for IPSec VPN capability. The minimal design would be for the network you need to access can provide a 'dial up' style VPN so you can simply connect using a software VPN client that will allow access to the protected network inside the firewall.

Improve this answer

Not the answer you're looking for? Browse other questions tagged or ask your own question.