Cyberoam FleXi Port Devices

Cyberoam just put out a press release on their new FleXi Port devices. This is the sort of device large sites really need. You can plug your fiber, and high bandwidth copper lines directly into the firewall device, instead of doing ‘creative routing’ that the Cyberoam is so sensitive about.

It’s a good practice to hook your remote connectivity lines directly into the Cyberoam in my opinion. This insures all your data coming into your network is scanned before it gets anywhere that could cause damage. This eliminates having to put your firewall between your router and your network, making the Cyberoam a true Gateway device.

Anyway, here’s a link to Cyberoam’s page on the device.

http://www.cyberoam.com/flexiports.html

Home Routers and Why You Need One

I like to think of modern home routers as your first line of defense against the bad things out there on the internet. They are super important, and everyone with internet access should have one. Most new routers have a lot of features that surpass “route traffic to the internet and back”. Your basic Linksys router will have the following features, and a lot more right out of the box.

  • Basic Routing – Get your traffic to the internet, and the internet’s traffic to the right computer. Some of them can even do internal routing.
  • Network Address Translation – Lets you have more than one computer share an internet connection without your ISP really knowing it.
  • Wireless Networking – Connect your laptops and other wireless devices to the home network.
  • Basic Firewall – Protect your stuff from basic attacks originating from the internet.
  • VPN Passthrough – Lets you connect to your work without any re-configuring your firewall.
  • Quality of Service, Port Forwarding, MAC address restrictions, Diagnostic Tools, Data Usage Tools, DNS, DHCP and tons more.

Your basic $50-$80 wireless router will have at least all these features, and probably a lot more. Most people just use them to put Wi-Fi in their house if their internet provider didn’t just ship them one.

One major reason to get a router is that it will actually save you money in the long run. It’s not terribly surprising if your cable modem or DSL modem goes out a year after you buy it, and you’ll have to get a new one. If you have a combination router/modem then it’s going to be a lot more expensive. A good router that wasn’t the low-end $20 one at Wal-Mart will typically last five years without much more maintenance than occasionally unplugging it and plugging it back in. So instead of having to buy that $200 router/modem combo just because the modem part when out, you can just go get a $30-$80 modem once every year or so and be fine.

The other reason is the firewall. Most routers have basic firewalls that just work, no configuring by you is needed. If you’re hooking your PC directly to the modem, you will be depending on Windows Firewall, or whatever Apple uses. This isn’t a good idea. Windows Firewall isn’t that great, and a lot of malware just flat turns it off. Router firewalls can be a lot tougher to get around.

What Routers Are Compatible With My ISP?

Unlike modems, there’s not a lot to router compatibility. If you go to your local Best Buy, you’ll see about two dozen models of wireless router. They’ll range from $30 to $250 and have all sorts of guarantees on the front about gaming and video streaming.

The reality is, most of those claims are utter bull. At very least they are misleading. They’ll compare their routers to a competitors low-end router, show how much better it is then make a bunch of claims about speeding up video streaming from the internet. The competitor’s router will have the same thing on their box. Some will even say “Compatible with Suddenlink!”. Yeah, they’re all compatible.

All routers work with TCP/IP and the only major differences are speed, chipset and features you probably don’t care about. Wireless network speed is the biggest thing to look for. You want to get a Wireless N router. It has a range of roughly a thousand feet as opposed to the 300 feet a G router provides, and you get get data speeds up to 300Mbps as opposed to 54Mbps (depending on the security you choose).  Even the speed is misleading because you’ll be lucky to get 64-75Mbps on your wireless if you secure it right. A lot of that depends on your network card and what your house is made of.

Now I know you probably just want me to suggest a model. I prefer Linksys E2500’s. They’re right at the $80 mark and have just about everything even an advanced user could want. Here’s a link if your ad-blocking software are hiding the ads: Cisco E2500 Router

If you are an Apple user, I suggest either the AirPort Extreme 5th Generation or the Base Station with the print server port on it. The only drawback to these for a PC network (other than price) is they don’t have as many wired ports. Otherwise there aren’t any real differences between the Apple product and the Cisco product except the base station has a print server and some iTunes features you can take advantage of on your Mac, iDevices, or PC.

Bypass Stateful Inspection Between Networks Cyberoam

If you have a Cyberoam, multiple networks, and/or a ShoreTel system, you’ll run into problems where one network might not pass traffic to another for inexplicable reasons. You can also get one way voice traffic with ShoreTel because of this.

Typically this is due to something called “Asymmetric Routing”. Any number of things can cause this, and it’s not always problem with your network. What happens is a packet takes a different route from point A to point B than it does coming back from point B to point A. The Cyberoam will by default drop the return traffic as it didn’t come back the same way it went out. This is a good security measure.

Sometimes you can fix your network topology, sometimes you can’t but the Cyberoam will still drop that traffic. A firewall rule will not always fix the problem either. If you’re sure that what is getting dropped is not a security risk, here’s how to bypass it.

If there’s one major complaint about Cyberoam ‘not working’ it’s this problem right here. Fortunately their support will fix the problem for you but it can be a huge time waster if you have a bunch of units needing fixed.

There is one other thing they almost always do to resolve a problem with two networks talking to each other. I will go over that in another article.

Bypass Stateful Inspection

Step 1 – Log into your Cyberoam CLI. You can telnet/SSH into the Cyberoam, or click the “Console Link” at the top of your Web GUI. 

Step 2 – Put your username and password in. If you logged in through the Web GUI, just the console password will do.

Step 3 – Type 4 for “Cyberoam Console” in the CLI

Step 4 – To bypass the inspection from one network to another type the following:

set advanced-firewall bypass-stateful-firewall-config add source_network [source network IP] source_netmask [source subnet mask] dest_network [destination network IP] dest_netmask [destination subnet mask]

Note: You don’t have to type the command out. You can just start each parameter that is in bold and hit tab, the Cyberoam will fill it in for you.

Example: You want to bypass traffic inspection from 192.168.1.0 to 192.168.2.0 you’d type this: “set advanced-firewall bypass-stateful-firewall-config add source_network 192.168.1.0 source_netmask 255.255.255.0 dest_network 192.168.2.0 dest_netmask 255.255.255.0”

Step 5 – If  you need to bypass traffic inspection both ways, type the above command again, only reverse the source and destination networks.

Caution: It is extremely easy to mistype IP addresses. I’ve transposed digits dozens of times, causing the problem to be worse in some cases. You can check your work by typing “show advanced-firewall” in the console. If you need to remove an entry use “del” instead of “add” after the “bypass-stateful-firewall-config” part of the command. You can usually use the up arrow on most telnet clients to cycle back through commands and replace just that word in the line.

 

Create Facebook Schedule With Cyberoam

I’ve noticed a lot of people asking about how to schedule when a user can or can’t use Facebook. This is pretty easy to do in Cyberoam, you can either do it globally, or on a per user basis. I’ll show you how to do this on a global basis. If you want to do this on a per user basis then you just need to make individual policies for your users. The steps below can apply to any website, not just Facebook.

Step 1 – Log into your Cyberoam and go to the web filter section and select categories. Add one called “ScheduledSafeSites”. This will be for anything you want to allow during a certain time, if you want to block them name the category “ScheduledBlockedSites”. Personally I think only one for safe sites is necessary but I can see blocking say, Hulu.com during the day and let the night guy watch it. I went ahead and added “disney.com” to mine as an example. You can add facebook.com, or whatever you want here. Just like you would add sites to any other category.

Step 2 – Check policy you want this added to and change both settings to “allow”. This is just the HTTP or HTTPS allow/deny settings.

Step 3 – Go into the Policy setting under Web Filter and open up the policy you added the category to. Click the little wrench icon next to the new category.

Step 4 – You can then select an right schedule. This particular example uses work hours, which is by default 10am to 7pm. You can go into the objects menu on the Cyberoam and edit or create any sort of schedule you want.

Step 5 – Hit ok and save your changes, your users will now only be able to get to the site when you want.

Notes: For this to work properly you need to make sure your Cyberoam’s time is correct. I’ve had a couple of instances where the time was off due to someone picking the wrong time zone during the first setup. If you are getting people who can get to the blocked site earlier than normal, go to the system menu and click on configuration. Most of the time it’s the time zone that is wrong, just find the right one.

Sometimes during the initial setup the Cyberoam appliance will figure out what time zone it’s in based on the internet IP address, but if you have a weird ISP it might find the wrong one. It isn’t entirely human error that causes this and it’s really easy to miss.