D-Link Forums
The Graveyard - Products No Longer Supported => D-Link NetDefend Firewalls => Topic started by: timberline1 on August 19, 2009, 09:41:54 AM
-
Hello,
this has been driving me up the wall and hopefully someone can help me.
my network:
xxx.xxx.30.0/24 - lan_net
xxx.xxx.30.1 - lan_ip
location a
location b
location c
so, what i want is for my network to ipsec vpn to location a,b,& c over the dmz port and all regular net work traffic to pass over the lan port and all regular internet traffic to be directed to the wan port.
why? you ask.
because i have 3 modems. 2 of which are for our internet use and are passed thru a wan aggregator. the 3rd modem is supposed to be strictly for VPN traffic only.
you can see a drawing of what i mean here:
http://www.flickr.com/photos/37679421@N08/3836582949/
i tried to post the picture but for somereason it wouldnt work.
if anyone can help me that would be awesome.
-
The easy anwser is to add a route like the below, the key is that it should have a lower metric than your other routes which could apply for the VPN_GW.
Interface Network Gateway Metric
DMZ VPN_GW DMZ_GW 90
I like this answer because then you can also have your VPN fail over in case of ISP failure on the DMZ, that is assuming you turn on route monitoring.
-
The easy anwser is to add a route like the below, the key is that it should have a lower metric than your other routes which could apply for the VPN_GW.
Interface Network Gateway Metric
DMZ VPN_GW DMZ_GW 90
I like this answer because then you can also have your VPN fail over in case of ISP failure on the DMZ, that is assuming you turn on route monitoring.
im sorry i dont know if i am just being thick, but apparently i dont understand because that is not working for me.
does there also have to be particular rules set up for this route?and if so how do i set them up.
lets assume i am starting from a fresh install.
xxx.xxx.30.0/24 - lan_net
xxx.xxx.30.1 - lan_ip
xxx.xxx.190.226 - dmz_ip (public ip)
xxx.xxx.190.225 – dmz_gw (modem for vpn traffic to pass over, directly plugged into dmz)
(all public ips at other locations)
location a gw – xxx.xxx.172.34
location b gw – xxx.xxx.196.56
location c gw – xxx.xxx.12.87
so you are saying create a static route (not switch route) that looks like this
interface network gateway metric
dmz location a gw dmz_gw 90
with no rules?
This setup didn’t work for me which is why I am sure I am misunderstanding you.
-
That is the route I was referring to, though my first suspicion would be that you have some more varied metrics on your routing table than I knew about and that may be your issue.
What does your full routing table look like?
The method I prescribed avoided writing routing rules by making the one table sufficient, there is another method using a second routing table and routing rules, but for this scenario I don't think it is necessary.
Did you drop any existing SAs?
-
That is the route I was referring to, though my first suspicion would be that you have some more varied metrics on your routing table than I knew about and that may be your issue.
What does your full routing table look like?
The method I prescribed avoided writing routing rules by making the one table sufficient, there is another method using a second routing table and routing rules, but for this scenario I don't think it is necessary.
Did you drop any existing SAs?
Type Interface Network Gateway Metric
Route wan wannet 100
Route wan all-nets wan_gw 100
Route lan lannet 100
Route CCTT cctt_net 90
Route CORP Corp_net 90
Route ANNEX Annex_net dmz-GW 80
Route CORP Corp_net dmz_ip 0
Route dmz Annex_ip dmz-GW 80
Switch Route dmz Annex_net 0
SA? not sure what you mean
-
This is the routing table you have.
Number Type Interface Network Gateway Metric
1 Route wan wannet 100
2 Route wan all-nets wan_gw 100
3 Route lan lannet 100
4 Route CCTT cctt_net 90
5 Route CORP Corp_net 90
6 Route ANNEX Annex_net dmz-GW 80
7 Route CORP Corp_net dmz_ip 0
8 Route dmz Annex_ip dmz-GW 80
9 Switch Route dmz Annex_net 0
I am assuming that CCTT, CORP, and ANNEX are all VPNs.
Furthermore I am assuming that Annex_ip is the public IP that you are dialing the ANNEX VPN to, and that there will be similarly nammed cctt_ip and corp_ip objects.
This is the routing table you want.
Number Type Interface Network Gateway Metric
1 Route wan wannet 100
2 Route wan all-nets wan_gw 100
3 Route lan lannet 100
4 Route dmz dmznet 100
5 Route CCTT cctt_net 90
6 Route CORP Corp_net 90
7 Route ANNEX Annex_net 90
8 Route dmz cctt_ip dmz-GW 80
9 Route dmz corp_ip dmz-GW 80
10 Route dmz Annex_ip dmz-GW 80
As for dropping SAs, you do that by visiting Status->IPsec->List all IPsec SAs and clicking the red X next to the SA.
In the future give me your routing table from Status->Routes, it will be in the order I need to see and contain numbers instead of names.
What was the goal of the switch route?
-
ok.. as i will not be able to try this out till early tomorrow morning i want to make sure i have all the steps correct.
dfl-210
lan port to lan
wan port to wan aggregator (contains 2 modems for internet traffic only)
dmz port to modem (for vpn traffic only)
add routes
Route dmz cctt_ip dmz-GW 80
Route dmz corp_ip dmz-GW 80
Route dmz Annex_ip dmz-GW 80
clear all SA's
save and activate.
i shouldnt need to add anymore rules or arps or anything, correct?
as for the switch route, i was trying something someone else suggested.
-
Also ensure you have a route for the DMZ interface.
Clear the SAs after you save and activate.
-
so i made all the changes and it gets up and running but after about 5-10mins it drops all of the ipsecs with this error in the log:
Severity Category/ID Rule Src/DstIf Src/DstIP Src/DstPort
Warning ARP/300049 Default_Access_Rule dmz xxx.xxx.xxx.225/xxx.xxx.xxx.226
Event/Action
invalid_arp_sender_ip_address drop
xxx.xxx.xxx.225 = DMZ_GW (modem public IP)
xxx.xxx.xxx.226 = DMZ_IP (router public IP)
-
yeah this is driving me crazy. i cant keep the ipsecs connected for longer than 10mins. any ideas what invalid_arp_sender_ip_address means? it shows the correct addresses....
-
Either show us all or just me via PM the values you have set for DMZ_IP DMZ_Net and DMZ_GW. That log entry means that the IP specified should not exist on that interface. The most usual cause of this is WAN connections where the GW is technically on a different network (due to typo or other problems) but the WAN network is able to compensate.
-
sending PM now...
-
yupp that did it. i set up an access rule for the dmz-gw on the dmz and BAMF! it is has been running strong for about 40mins now. i will continue to keep an eye on it for the next few days.
thank you very much.
-
Very Cool!