D-Link Forums

The Graveyard - Products No Longer Supported => D-Link NetDefend Firewalls => Topic started by: LR_Brian on February 19, 2009, 12:52:48 PM

Title: DFL-800 Configuration
Post by: LR_Brian on February 19, 2009, 12:52:48 PM
Hello,

I have a brainbuster that I have been working on for some time and cannot figure out.

I will do my best to explain and if more information is needed, please let me know.

I have a relatively small network made up of 10 servers, and around 200 workstations.   The IP addressing scheme used is 172.16.1.X.  I have the DLINK DFL-800 set up with the IP address 172.16.1.1.

The problem lies with 2 webservers I am using.  They are both running W2K3 and IIS6.0.  They are hosting a 3rd party web application using Virtual Directories under the Default Web Site.  Please note that all servers have 2 NIC cards, however one is disabled and the other is assigned the Private IP address.

The first webserver is located at private IP 172.16.1.5 and the second webserver is located at 172.16.1.11.  Both webservers are published via ARP entries at 216.253.206.205 and 216.253.206.200 respectively.

Address Entries look like this:
Private_IPs
WEBSERVER1_ PRIVATE 172.16.1.5
WEBSERVER2_PRIVATE 172.16.1.11

Public_IPs
WEBSERVER1_PUBLIC 216.253.206.205
WEBSERVER2_PUBLIC 216.253.206.200

Services look like this:
Services_WEBSERVER1   Group   http-in-all, PCAnywhere, VNC
Services_WEBSERVER2   Group   http-in-all, PCAnywhere, VNC

Rules are set like follows:
WEBSERVER1 - SAT   Port_Forwards   all-nets   wan1   WEBSERVER1_PUBLIC   Services_Webserver1
WEBSERVER1 - Allow  Port_Forwards   all-nets   wan1   WEBSERVER1_PUBLIC   Services_Webserver1

WEBSERVER2 - SAT   Port_Forwards   all-nets   wan1   WEBSERVER1_PUBLIC   Services_Webserver2
WEBSERVER2 - SAT   Port_Forwards   all-nets   wan1   WEBSERVER1_PUBLIC   Services_Webserver2

*NOTE* The SAT rule is written to translate the Destination IP Address To: New IP Address: WEBSERVERX_PRIVATE

Now heres the kicker....I can get to my website, but there are places and javascript calls that open a new window to request the Private IP address of the webservers.  This request will obviously time out since we can't resolve the private IP address 172.16.1.5 on the internet; however all addresses are reachable by substituting the public IP address of the server.  Internally everything works like a charm!  Unfortunately my software vendor is somewhat primitive and acknowledges this issue, but doesn't know how to solve it yet.  I'm also unable to reach the public IP addresses of my servers from within the LAN.

I am looking for a way to reach these particular pages externally without the need to give a client a VPN account.  I've heard that I can do so through IP Loopbacking, but this is not a supported feature on the DFL 800.  I am completely open to using the DMZ port in the front of the DFL 800 or any other solutions you may have that can help fix this issue.

Thanks in advance for your assistance!
Title: Re: DFL-800 Configuration
Post by: Fatman on February 20, 2009, 01:21:33 PM
OK, I am going to show my hand here a little more than I normally would.

I have spoken to you before over the phone, in fact you have spoken to quite a few people in D-Link.  Please don't start reading off our names, just understand that I have the facts you published here as well as some choice others.

The solution to your problem is to use relative paths not absolute paths on your web app.  I understand your web app's author(s) are somewhat incompetent, however you either need to get your money back and go with a new product or convince them to play ball.

We could set up a transparent DMZ to handle the public IP of your server, however that runs us into one big problem.  My understanding of your network is that you can not put these servers on public IPs only, and we have no way of knowing that your web app will use the correct bound IP if multiple are assigned.  Especially since you are going to have requests over both IPs.

This problem has nothing to do with IP Loopbacking or even using the DMZ.  It is a limitation of your software and environment.  When last you spoke with D-Link (to my knowledge) you had this all explained to you and were going to pursue matters with the author(s) of your web app.

Please pursue this issue with the author(s) of your web app, this should be a quick fix for them and actually simpler to program.
Title: Re: DFL-800 Configuration
Post by: LR_Brian on February 24, 2009, 12:41:18 PM
"you had this all explained to you and were going to pursue matters with the author(s) of your web app."
 

Actually the last time I spoke with D-LINK the solution was so rushed due to a meeting on your side, and the Engineer never took the time to follow back up.  In fact I've placed multiple follow-up calls to the individual to only be told that there is another more serious case that he is working and he would pass my case to another engineer to keep working on a solution.

Still yet to hear back.

Title: Re: DFL-800 Configuration
Post by: Fatman on February 24, 2009, 01:51:38 PM
I do not know what the status is with you and that agent, nor do I know what has happened since the last contact between you and a D-Link agent that I was informed of. What I can tell you is that I know you were told (during the last contact that I am aware of) that we can not guarantee results for the reasons that I listed above and your support was being offered out of the kindness of a particular tech's heart.

Now instead of making me feel for your position you have made me view you as someone who wishes to coerce me, which is an unfortunate turn of events. I do not know what happened between you and the tech you mention in your last post but this is not the place to discuss concerns with getting a hold of an agent who agreed to assist you do something he should not of out of pity.

 Please see my last post for the D-Link stance on your issue, I will wait for one more post for you for meaningful communication then I will lock the thread as being useless to you, me, or anyone else.