D-Link Forums
The Graveyard - Products No Longer Supported => D-Link NetDefend Firewalls => Topic started by: Chilleboy on April 22, 2010, 04:26:23 AM
-
I have tried to configurate the DFL-210 to replace a DIR-655 with a fawlty wan-port.
I read the threads in the forum, but can´t find with a similar problem. :-(
Get confused of which setting is the correct one for me.
This is what I want to achive:
WAN has a dynamic ip from my ISP.
The DFL-210 has IP 192.168.0.1
Want a private internal network with DHCP and NAT
I´ve got a web- and mailserver on the same machine fixed ip (with SSL and IMAP) inside of the lan.
To the same machine I want to be able to make a SSH-connection from wan on port xxx00 and port 22 inside.
Server2 with static DHCP-ip www and SSH-access from wan on port xxx02 and port 22 inside.
Any help is much appreciated.
Sorry for the bad english. :-)
Chilleboy
Sweden
-
The Quick-Start Wizard should get you through getting on-line with your dynamic WAN IP and LAN Net of your choice. Ensure when asked for a DHCP Gateway during DHCP Server config that you give the LAN_IP.
Once you get it on-line you can add IP Address Objects to represent your servers, and Ethernet Address Objects to represent their MAC addresses.
Then go to System->DHCP->DHCP Servers->(Your DHCP Server)->Static Hosts and add a static host for each of your servers using the IP address objects you just added for their IP and MAC.
You will need to create a couple of services for your custom inbound ports, use a source port of 0-65535 and a destination port of your xxx00 or xxx02 port. You can then use this service when making your port forward.
As for the rest, use the FAQ linked below to set up port forwards.
http://www.dlink.com/support/faq/?prod_id=2393
-
Thanks Fatman for your fast reply! :)
I have made the configuration of the dfl-210 and made a test. But no traffic from the lan is accepted of the DFL-210.
I post some images of my setup:
(http://www.c-pix.nu/dfl-210/DHCP-server.jpg)
(http://www.c-pix.nu/dfl-210/Addressbook.jpg)
(http://www.c-pix.nu/dfl-210/DHCP-addresses.jpg)
(http://www.c-pix.nu/dfl-210/Ethernet_interface.jpg)
(http://www.c-pix.nu/dfl-210/IPR-lan-wan.jpg)
(http://www.c-pix.nu/dfl-210/IPR-wan-lan.jpg)
(http://www.c-pix.nu/dfl-210/Mail_config.jpg)
(http://www.c-pix.nu/dfl-210/Routing-main.jpg)
Do you spot any error in the configuration?
/Chilleboy
-
Are you sating LAN hosts can't reach the intertoobs?
Give me the output of Status->Routes and the IP information from a PC that doesn't work.
-
The DFL-210 is not connected to the DSL-modem at the moment…
Tested with three computers no luck, all with fixed ip, here is one of them:
IP192.168.0.80
Netmask: 255.255.255.0
Gateway: 192.168.0.1
DNS: 192.168.0.1
(http://www.c-pix.nu/dfl-210/Routing_table_cont.jpg)
-
How are you testing them then, trying to access the port forwards? If so with what destination IP?
Your 4th IP rule in WAN_to_LAN appears to have the wrong Destination Network.
-
Ohh and you will need to change your DFL's HTTP and HTTPS management ports if you are going to be forwarding ports 80 or 443, they can be changed under System->Remote Management->Advanced Settings.
-
How are you testing them then, trying to access the port forwards? If so with what destination IP?
Your 4th IP rule in WAN_to_LAN appears to have the wrong Destination Network.
Thanks Fatman for fast replies! :)
Maybe I missunderstood you? I´ve tested to connect, from my lan, to different webservers on the internet, not my own.
-
Well I needed to see your routing table as of when it is connected, it sounded like you meant that you tested it before it was connected.
You mention DSL, are you sure you need DHCP for your WAN and that it is not providing you a non-routable address? Perhaps you need to use a PPPoE interface.
-
DFL hasn't DNS relay as default. Use external (from ISP or, for example, Google) on clients.
When you connect DFL, show Status > Routes, try to ping any IP and see Status > Connections.
-
Well I needed to see your routing table as of when it is connected, it sounded like you meant that you tested it before it was connected.
I hook it up and post a screenshot.
You mention DSL, are you sure you need DHCP for your WAN and that it is not providing you a non-routable address? Perhaps you need to use a PPPoE interface.
Well my settings for the DIR-655 on the WAN port was dynamic…so i used the same settings with the DFL-210.
-
DFL hasn't DNS relay as default. Use external (from ISP or, for example, Google) on clients.
When you connect DFL, show Status > Routes, try to ping any IP and see Status > Connections.
How do I enable DNS relay on the DFL-210?
I will test to ping when i hook up the DFL-210.
-
Well I needed to see your routing table as of when it is connected, it sounded like you meant that you tested it before it was connected.
Here it is:
(http://www.c-pix.nu/dfl-210/Routing_table_cont2.jpg)
-
DFL hasn't DNS relay as default. Use external (from ISP or, for example, Google) on clients.
When you connect DFL, show Status > Routes, try to ping any IP and see Status > Connections.
Thanks Danilovav for trying to help!
Ping from the DFL-210 works:
(http://www.c-pix.nu/dfl-210/Ping.jpg)
When trying to open a webpage from one of the computers I took a screenshot.
I watched the logs and I can see that the router drops packets, but don´t understand the reason.
(http://www.c-pix.nu/dfl-210/Log.jpg)
-
Make rules
SAT lan/lannet core/lan_ip dns-all (SAT: new destination = wan_ip)
NAT lan/lannet core/lan_ip dns-all
-
Make rules
SAT lan/lannet core/lan_ip dns-all (SAT: new destination = wan_ip)
NAT lan/lannet core/lan_ip dns-all
Thanks Danilov!
Still problem with the outgoing traffic…weird?
See the logs:
(http://www.c-pix.nu/dfl-210/Log3.jpg)
(http://www.c-pix.nu/dfl-210/Log4.jpg)
-
I hope, 0.1 is DFL's IP?
Show please one more time all your rules, all routing tables, PBR rules (if configures) and Status > Routes.
-
The SAT destination should be your WAN_DNS server, not your WAN_IP.
-
I hope, 0.1 is DFL's IP?
Show please one more time all your rules, all routing tables, PBR rules (if configures) and Status > Routes.
Yes 0.1 is the DFL's IP.
-
Here is the setup again:
(http://www.c-pix.nu/dfl-210/set2/IPR-lan-wan2.jpg)
(http://www.c-pix.nu/dfl-210/set2/IPR-wan-lan2.jpg)
(http://www.c-pix.nu/dfl-210/set2/IPR-Mail_config2.jpg)
SAT destination changed to WAN_DNS server, thanks Fatman!
(http://www.c-pix.nu/dfl-210/set2/IPR-DHCP-relay.jpg)
(http://www.c-pix.nu/dfl-210/set2/Routing-main2.jpg)
(http://www.c-pix.nu/dfl-210/set2/Routing_table_cont3.jpg)
(http://www.c-pix.nu/dfl-210/set2/Log5.jpg)
-
You have an mistake in rules
lan_to_wan
allow_standart should be NAT (not Allow)
MAIL_config
LAN_translate is useless. What you want from this rule?
-
You have an mistake in rules
lan_to_wan
allow_standart should be NAT (not Allow)
MAIL_config
LAN_translate is useless. What you want from this rule?
Great Danilov!
Now I am able to reach the Internet! ;D
But I am not able to reach my servers from inside…
Can I enable that?
-
But I am not able to reach my servers from inside…
Can I enable that?
Solved that problem:
Changed the ip-rule:
wan-to-lan - ip rule #2
Action=NAT (instead of Allow)
SourceInterface=any
SourceNetwork=all-nets
DestInterface=any
DestNetwork=server wan ip address
Service=http-all
-
But i can't access my IMAP server via Outlook or Mail.
It is no problem to connect via webmail (http and https) both from inside and outside.
Any thoughts?
-
Sorry to the mass posting in this thread!
Two more things… :)
I discovered that the IP:s of the visiting wan-computers was translated to DFL's ip: 192.168.0.1.
I hope that it can be configured like the DIR-655 to show the real IP-addresses of the visiting computers.
Tough job?
The other thing not working like my plan is the ssh. I think the error is in my bad configuration of ip-rules. :-(
I'm thankful of all the help I have recieved from Fatman and Davilovav!
-
To make port mapping (D-NAT) accessible from outside and inside, you should make rules
# external access
SAT wan/all-nets core/wan_ip yourservice (SAT: new dest = yourprivatehost)
Allow wan/all-nets core/wan_ip yourservice
# internal access
SAT lan/lannet core/wan_ip yourservice (SAT: new dest = yourprivatehost)
NAT lan/lannet core/wan_ip yourservice
2nd Allow rule is required to "show" your private host what IP accresses request from outside. But, this (private) host should has DFL as default gateway and local firewall/antivirus configured to not block incoming connections. If it's not possible, change allow to NAT.
If you have same internal host with some services to publish, make service group and use it in rules.
-
To make port mapping (D-NAT) accessible from outside and inside, you should make rules
# external access
SAT wan/all-nets core/wan_ip yourservice (SAT: new dest = yourprivatehost)
Allow wan/all-nets core/wan_ip yourservice
# internal access
SAT lan/lannet core/wan_ip yourservice (SAT: new dest = yourprivatehost)
NAT lan/lannet core/wan_ip yourservice
2nd Allow rule is required to "show" your private host what IP accresses request from outside. But, this (private) host should has DFL as default gateway and local firewall/antivirus configured to not block incoming connections. If it's not possible, change allow to NAT.
If you have same internal host with some services to publish, make service group and use it in rules.
Thanks!
I'll try this settings!
Guess I must remove the other IP-rules already configured for the HTTP if I made a servicegroup that contains HTTP + other services?
-
Yes, from wan_to_lan and mail_config
-
Great Danilovav!
Now is the IP correct for the visiting computers! :)
Still the problem persists with the rules for connecting with a mail-client (Mac Mail and Outlook PC).
-
For port mapping (publishing your servers)
As i undestood, you want to access HTTP/HTTPS/IMAP from outside by standart ports and SSH by non-standart. So...
1) Objects > Services
Make service ssh-xxx00 with destination port xxx00
Make service groups ext_mail_server with imap, pop3, smtp (all services what you need) and ssh-xxx00
Do the same for web servers (group ext_web_server)
2) Rules > IP rules
# mail server
SAT wan/all-nets core/wan_ip ssh-xxx00 (SAT: new dest = lan_mail_server, new port = 22)
SAT wan/all-nets core/wan_ip ext_mail_server (SAT: new dest = lan_mail_server)
Allow wan/all-nets core/wan_ip ext_mail_server
# web server
SAT wan/all-nets core/wan_ip ssh-xxx02 (SAT: new dest = lan_web_server, new port = 22)
SAT wan/all-nets core/wan_ip ext_web_server (SAT: new dest = lan_web_server)
Allow wan/all-nets core/wan_ip ext_web_server
If you want to have access from internal network (LAN) to wan published services, make additional rules
# mail server
SAT lan/lannet core/wan_ip ssh-xxx00 (SAT: new dest = lan_mail_server, new port = 22)
SAT lan/lannet core/wan_ip ext_mail_server (SAT: new dest = lan_mail_server)
NAT lan/lannet core/wan_ip ext_mail_server
# web server
SAT lan/lannet core/wan_ip ssh-xxx02 (SAT: new dest = lan_web_server, new port = 22)
SAT lan/lannet core/wan_ip ext_web_server (SAT: new dest = lan_web_server)
NAT lan/lannet core/wan_ip ext_web_server
-
For port mapping (publishing your servers)
As i undestood, you want to access HTTP/HTTPS/IMAP from outside by standart ports and SSH by non-standart. So...
1) Objects > Services
Make service ssh-xxx00 with destination port xxx00
Make service groups ext_mail_server with imap, pop3, smtp (all services what you need) and ssh-xxx00
Do the same for web servers (group ext_web_server)
2) Rules > IP rules
# mail server
SAT wan/all-nets core/wan_ip ssh-xxx00 (SAT: new dest = lan_mail_server, new port = 22)
SAT wan/all-nets core/wan_ip ext_mail_server (SAT: new dest = lan_mail_server)
Allow wan/all-nets core/wan_ip ext_mail_server
# web server
SAT wan/all-nets core/wan_ip ssh-xxx02 (SAT: new dest = lan_web_server, new port = 22)
SAT wan/all-nets core/wan_ip ext_web_server (SAT: new dest = lan_web_server)
Allow wan/all-nets core/wan_ip ext_web_server
If you want to have access from internal network (LAN) to wan published services, make additional rules
# mail server
SAT lan/lannet core/wan_ip ssh-xxx00 (SAT: new dest = lan_mail_server, new port = 22)
SAT lan/lannet core/wan_ip ext_mail_server (SAT: new dest = lan_mail_server)
NAT lan/lannet core/wan_ip ext_mail_server
# web server
SAT lan/lannet core/wan_ip ssh-xxx02 (SAT: new dest = lan_web_server, new port = 22)
SAT lan/lannet core/wan_ip ext_web_server (SAT: new dest = lan_web_server)
NAT lan/lannet core/wan_ip ext_web_server
You do an amazing job for me Danilovav!
I can see now why the SSH-thing did'nt work for me, I put port 22 as the destination in the service. :-[
Will try this settings as soon as I can!
However, I am a little worried that it might not do any difference for my problems to connect to the mailserver via Outlook and Mail.
But I'll try your settings first! ;D
-
Sadly I had no luck with the new conf! :'(
Still not able to connect via MAil or Outlook (SSL not SSH).
SSH-connection was not successful either.
Here is the current settings:
(http://www.c-pix.nu/dfl-210/danilov/IPR-danilov.jpg)
(http://www.c-pix.nu/dfl-210/danilov/Service_ext_mail.jpg)
(http://www.c-pix.nu/dfl-210/danilov/IMAP_SSL.jpg)
(http://www.c-pix.nu/dfl-210/danilov/SMTP_SSL.jpg)
(http://www.c-pix.nu/dfl-210/danilov/Ext_www_server.jpg)
Have I made any typos or bad conf?
-
Your source ports should be 0-65536, source ports are randomly generated.
If you want to get technical it is actually a much smaller range than that, but that covers our bases.
-
Your source ports should be 0-65536, source ports are randomly generated.
If you want to get technical it is actually a much smaller range than that, but that covers our bases.
Thanks Fatman!
I'll change the source ports to 0-65536. But the destination ports is still correct or shall I change those to?
-
The destination ports are up to you, I don't know what kind of traffic you are running.
-
Thanks Fatman and Danilovav for all your help!
The last tips regarding sourceports from Fatman was the culprit of the problem.
Again without your help I had been toast. ;D