Home News Forum Articles
  Welcome back Join CF
You are here You are here: Home | Forum | Installing a firewall behind the Hitron box

You are currently viewing our boards as a guest which gives you limited access to view most of the discussions, articles and other free features. By joining our Virgin Media community you will have full access to all discussions, be able to view and post threads, communicate privately with other members (PM), respond to polls, upload your own images/photos, and access many other special features. Registration is fast, simple and absolutely free so please join our community today.


Welcome to Cable Forum
Go Back   Cable Forum > Virgin Media Services > Virgin Media Internet Service

Installing a firewall behind the Hitron box
Reply
 
Thread Tools
Old 06-07-2022, 16:03   #1
MicheleZ
cf.member
 
Join Date: Jul 2022
Posts: 2
MicheleZ is an unknown quantity at this point
Installing a firewall behind the Hitron box

Hi All,

Apologies for the long winded introduction...

I have a VMB account with one static IP address. I would like the Hitron to act as a modem and use a IPFire [1] as router.
Currently I have this setup with my DSL connection (openreach modem). I discovered that I cannot change the HITRON mode to modem and was told that this is because I need to upgrade to multi-IP in order to do so.
However, looking at this thread [2] I noticed that the recommendation is not to activate the modem mode.

So I wonder if I really need to upgrade to multi-IP or if instead it is possible to configure my network so that the Hitron just acts as a modem and the have the routing/firewall/DHCP/PortForwarding/VPN/... performed by my raspberry PI running IPFire

Note (in case it is useful): IPFire installation allows to select "static" as IP address setting for the interface to the internet (see image below) and requires to specify:
  • IP address: is this my static IP address?
  • Network Mask: is this /32 since I only have 1 IP address?
  • Gateway: should I ask VMB?



Thanks in advance!

[1] https://www.ipfire.org/
[2] https://www.cableforum.uk/board/show...3707787&page=2
MicheleZ is offline   Reply With Quote
Advertisement
Old 07-07-2022, 13:14   #2
tweetiepooh
Virgin Media Employee
 
tweetiepooh's Avatar
 
Join Date: Sep 2005
Location: Winchester
Services: Staff MyRates BB: VM XXL TV: VM XL Phone : VM XL
Posts: 3,107
tweetiepooh has a bronzed appealtweetiepooh has a bronzed appeal
tweetiepooh has a bronzed appealtweetiepooh has a bronzed appealtweetiepooh has a bronzed appealtweetiepooh has a bronzed appealtweetiepooh has a bronzed appealtweetiepooh has a bronzed appealtweetiepooh has a bronzed appealtweetiepooh has a bronzed appealtweetiepooh has a bronzed appealtweetiepooh has a bronzed appealtweetiepooh has a bronzed appealtweetiepooh has a bronzed appealtweetiepooh has a bronzed appealtweetiepooh has a bronzed appealtweetiepooh has a bronzed appealtweetiepooh has a bronzed appealtweetiepooh has a bronzed appeal
Re: Installing a firewall behind the Hitron box

I have SH5 in router mode and a second router behind that with no issues. I can connect to the SH5 or to the router. I guess I don't do things that fail with 2 routers/firewalls. I may also think about putting the IOT type devices on the hub network again isolating from internal network.



What I may do is turn off the guest on the router so it's only on the SH5 so guests will be unable to get to my private stuff inside the router.
__________________
I work for VMO2 but reply here in my own right. Any help or advice is made on a best-effort basis. No comments construe any obligation on VMO2 or its employees.
tweetiepooh is offline   Reply With Quote
Old 08-07-2022, 06:20   #3
ash45
cf.member
 
Join Date: Apr 2019
Services: Gig1
Posts: 57
ash45 is an unknown quantity at this point
Re: Installing a firewall behind the Hitron box

im sure someone will correct me if im wrong as its been a good 2 years since i had a VMB account and could have changed (used to have residential + VMB and load balance them but once gig1 became available i just kept residential

The way static ips work on VMB is with a GRE tunnel and when you only have 1 static the hitron needs to be kept in router mode as the single ip is assigned to the hitron then the hitron shares this as any normal router would as with non static,
But to go into modem mode you need the multiple static option as one of these IPs is always assigned to the hitron when in modem mode then the others you can do as you like so if you go for the 5 IP option 1 gets assigned to the hitron and then the other 4 you can assigned with a 3rd part firewall / router
ash45 is offline   Reply With Quote
Old 09-07-2022, 23:30   #4
ccarmock
cf.geek
 
Join Date: Jun 2008
Posts: 804
ccarmock has entered a golden reputation eraccarmock has entered a golden reputation eraccarmock has entered a golden reputation eraccarmock has entered a golden reputation eraccarmock has entered a golden reputation eraccarmock has entered a golden reputation eraccarmock has entered a golden reputation eraccarmock has entered a golden reputation eraccarmock has entered a golden reputation eraccarmock has entered a golden reputation eraccarmock has entered a golden reputation era
Re: Installing a firewall behind the Hitron box

That is correct the static IP addressing used by VM Business uses a GRE tunnel and means the Hitron cannot be in modem mode.

If you need the public IP address on one of your devices as opposed to only the Hitron, then you need the multi-static IP address option. The first IP address of the fixed range is on the Hitron you can put the second on your outer. In this mode the Hitron does not performa any form of NAT.

This is exactly what I do. Works with the older servers as well as the newly launched VMB services I have this config with the Hitron Chita with the Business Gig1 option.
ccarmock is offline   Reply With Quote
Old 10-07-2022, 13:53   #5
Qtx
CF's Worst Nightmare
 
Join Date: May 2012
Location: Probably outside the M25
Services: Sky Fibre Unlimited 40/10
Posts: 3,473
Qtx has a bronzed appealQtx has a bronzed appeal
Qtx has a bronzed appealQtx has a bronzed appealQtx has a bronzed appealQtx has a bronzed appealQtx has a bronzed appealQtx has a bronzed appealQtx has a bronzed appealQtx has a bronzed appealQtx has a bronzed appealQtx has a bronzed appealQtx has a bronzed appealQtx has a bronzed appealQtx has a bronzed appealQtx has a bronzed appealQtx has a bronzed appealQtx has a bronzed appealQtx has a bronzed appealQtx has a bronzed appealQtx has a bronzed appealQtx has a bronzed appeal
Re: Installing a firewall behind the Hitron box

What are you actually trying to achieve? Do you run any servers on your network that need a direct connection from the internet to them, such a webserver on your network?

IPfire can sit behind a router usually. A common setup is to disable DHCP on the router and enable it on the IPfire box (which has a static IP on a different subnet). Your IPfire red port gateway points to the ISP router.

From memory... an example setup would be:

IPfire red port
IP 172.31.213.2 (same subnet as the gateway below, ie .213.)
Gateway 172.31.213.1 (or whatever your ISP router is)

IPfire green porn
IP 172.31.215.1
Gateway 172.31.213.2

Setup your DHCP on IPfire to give out whatever range of 172.31.215.* IP's you want and obviously setup DNS if you are using IPfire for that too and include that in the DHCP setup. You can assign static LAN IP's too for servers.

From that point you can filter and log all outgoing traffic and use whatever IPfire features you want.

It has been a long time since I had cable and never had a VM business connection so hopefully someone can confirm or correct this in case there is something of the VMB setup that stops this working.

Usually you can forward ports in from a router to the firewall and beyond but again,m im not sure if something with VMB stops this.
Qtx is offline   Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +1. The time now is 13:22.


Server: osmium.zmnt.uk
Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2024, vBulletin Solutions Inc.