Configuring a Fabric Firewall

This is a step by step guide explaining how to configure your Fabric Juniper Firewall.

Adding your Firewall to a VLAN

  1. Login to your Simply Hosting Control Panel
  2. Click on the VLAN menu item

  1. You will see one or more VLAN’s on the screen

  1. Click the Add Server button
  2. In the succeeding popup, select the ID of your Firewall from the dropdown and click the Add button

  1. You should see a success notification like below.

Note: At extremely busy periods, it may take upto 3 hours for the Firewall to be added to the VLAN, but in most cases it should only take several minutes.

  1. The process has completed when the server id changes from orange to black colour (You may need to refresh your page a few times)


Configuring your Firewall

There are two common ways of configuring the firewall. One is for the servers behind the firewall to use public facing IPs routed by the firewall and the other is to use NAT on the firewall and use RFC 1818 addresses on the servers.

Configuring the Firewall Using Public IPs

This is perhaps the simplest configuration for the firewall and involves setting up an IP on the firewall to act as a router for the servers behind it. The downside is that it also requires several public IPs for it to work.

You will need a block of at least 4 IPs for this configuration to work and a block of 8 ips if you need more than a single host behind the firewall.  To get the public IPs you will need to raise a ticket to technical support who can assist you.

For the following examples we will be using the ip range 192.0.0.0/30 but please make sure that you use the public IPs that you have been allocated.

  1. SSH into the firewall using the details provided and go into the configuration mode:
root@% cli
root> configure
root#
  1. For this setup, all you will need to configure is the first usable IP onto the VLAN interface. (note: please remember to use the VLAN tag that you have been provided. A different tag other than that allocated to you will not work, in the following example replace <vlantag> with the vlan tag number).
root# set interfaces irb unit <vlantag> family inet address 192.0.0.1/30
root# commit and-quit
  1. The firewall configuration is now completed. Exit the unit. For the server to start routing the traffic though the firewall you will need to configure a vlan interface onto the server. Please refer to the documentation for configuring VLANs. The difference will be that instead of an RFC1818 address you should use the next usable public IP from your range. You will also need to adjust the default route of the server to use the IP that you setup on the firewall (192.0.0.1 in this example). You may need to restart the network stack or reboot the server for those changes to

Configuring the Firewall using NAT

Configuring the servers using NAT will require less resources in terms of public IPs but will require a little more setup on the firewall. For the following example we will use the RFC1818 range 10.10.10.0/24

  1. SSH to the firewall and go into configuration mode:
root@% cli
root> configure
root#
  1. Add an IP onto the vlan interface to act as the gateway for the servers.
root# set interfaces irb unit <vlantag> family inet address 10.10.10.1/24
  1. Configure the firewall to enable NAT
root# set security nat source rule-set default from zone trust
root# set security nat source rule-set default to zone untrust
root# set security nat source rule-set default rule match-all match source-address 0.0.0.0/0
root# set security nat source rule-set default rule match-all match destination-address 0.0.0.0/0
root# set security nat source rule-set default rule match-all then source-nat interface
  1. For the server to start routing the traffic though the firewall you will need to configure a vlan interface onto the server. Please refer to the documentation for configuring VLANs. You will also need to configure the default gateway on the server to use the address that you gave to the firewall 10.10.10.1 in this example. You may need to restart the network stack or reboot the server for these changes to take effect.
  1. It is common to require port forwarding rules for a NAT configuration. The following is an example for mapping port 222 to port 22 of the server with the address 10.10.10.2
root# set security nat static rule-set set1 from zone untrust
root# set security nat static rule-set set1 rule server1 match destination-address <firewall_ip>/32
root# set security nat static rule-set set1 rule server1 match destination-port 222
root# set security nat static rule-set set1 rule server1 then static-nat prefix 10.10.10.2
root# set security nat static rule-set set1 rule server1

Info: If you encounter any problems setting up your firewall then please raise a Support Ticket with our 24/7/365 technical support team

Get in touch

If you need advice on your Fabric Firewall requirements, we’re here to help.

Call us on 0333 247 0222: Monday – Friday, 9am – 5.30pm.

Chat with us on LiveChat: Monday – Friday, 9am – 5.30pm.

Write to us: Send us a support ticket from your Simply portal and we’ll get back to you as soon as we can.

If you don’t have an account with Simply Hosting yet, you can also send our Sales team an enquiry and we’ll get back to you between 9am and 5.30pm, Monday to Friday.


Was this article helpful?

Related guides

Enabling Fail2Ban

  • 0
  • 355
Once you have installed Fail2Ban, it needs to be enabled to start protecting specific services (daemons) of your server, so...