• October 20, 2020, 07:53:42 AM
  • Welcome, Guest
Please login or register.

Login with username, password and session length
Advanced search  

News:

This Forum Beta is ONLY for registered owners of D-Link products in the USA for which we have created boards at this time.

Pages: 1 [2] 3

Author Topic: Migrate to DFL-210>configuration problem  (Read 19113 times)

Chilleboy

  • Level 1 Member
  • *
  • Posts: 23
Re: Migrate to DFL-210>configuration problem
« Reply #15 on: April 24, 2010, 11:45:15 AM »

Make rules

SAT lan/lannet core/lan_ip dns-all (SAT: new destination = wan_ip)
NAT lan/lannet core/lan_ip dns-all
Thanks Danilov!

Still problem with the outgoing traffic…weird?
See the logs:


Logged

danilovav

  • Level 4 Member
  • ****
  • Posts: 424
  • Alexandr Danilov
Re: Migrate to DFL-210>configuration problem
« Reply #16 on: April 24, 2010, 09:59:55 PM »

I hope, 0.1 is DFL's IP?

Show please one more time all your rules, all routing tables, PBR rules (if configures) and Status > Routes.
Logged
BR, Alexandr Danilov

Fatman

  • Level 9 Member
  • ****
  • Posts: 1675
Re: Migrate to DFL-210>configuration problem
« Reply #17 on: April 26, 2010, 08:17:16 AM »

The SAT destination should be your WAN_DNS server, not your WAN_IP.
Logged
non progredi est regredi

Chilleboy

  • Level 1 Member
  • *
  • Posts: 23
Re: Migrate to DFL-210>configuration problem
« Reply #18 on: April 26, 2010, 09:49:08 AM »

I hope, 0.1 is DFL's IP?

Show please one more time all your rules, all routing tables, PBR rules (if configures) and Status > Routes.
Yes 0.1 is the DFL's IP.
Logged

Chilleboy

  • Level 1 Member
  • *
  • Posts: 23
Re: Migrate to DFL-210>configuration problem
« Reply #19 on: April 26, 2010, 10:03:28 AM »

Here is the setup again:




SAT destination changed to WAN_DNS server, thanks Fatman!





Logged

danilovav

  • Level 4 Member
  • ****
  • Posts: 424
  • Alexandr Danilov
Re: Migrate to DFL-210>configuration problem
« Reply #20 on: April 26, 2010, 07:15:56 PM »

You have an mistake in rules

lan_to_wan
allow_standart should be NAT (not Allow)

MAIL_config
LAN_translate is useless. What you want from this rule?
Logged
BR, Alexandr Danilov

Chilleboy

  • Level 1 Member
  • *
  • Posts: 23
Re: Migrate to DFL-210>configuration problem
« Reply #21 on: April 27, 2010, 01:28:43 AM »

You have an mistake in rules

lan_to_wan
allow_standart should be NAT (not Allow)

MAIL_config
LAN_translate is useless. What you want from this rule?
Great Danilov!
Now I am able to reach the Internet!  ;D

But I am not able to reach my servers from inside…
Can I enable that?
Logged

Chilleboy

  • Level 1 Member
  • *
  • Posts: 23
Re: Migrate to DFL-210>configuration problem
« Reply #22 on: April 27, 2010, 02:00:01 AM »

But I am not able to reach my servers from inside…
Can I enable that?
Solved that problem:
Changed the ip-rule:

wan-to-lan - ip rule #2
Action=NAT (instead of Allow)
SourceInterface=any
SourceNetwork=all-nets
DestInterface=any
DestNetwork=server wan ip address
Service=http-all
Logged

Chilleboy

  • Level 1 Member
  • *
  • Posts: 23
Re: Migrate to DFL-210>configuration problem
« Reply #23 on: April 27, 2010, 02:14:47 AM »

But i can't access my IMAP server via Outlook or Mail.
It is no problem to connect via webmail (http and https) both from inside and outside.
Any thoughts?
Logged

Chilleboy

  • Level 1 Member
  • *
  • Posts: 23
Re: Migrate to DFL-210>configuration problem
« Reply #24 on: April 27, 2010, 11:28:44 AM »

Sorry to the mass posting in this thread!
 
Two more things… :)

I discovered that the IP:s of the visiting wan-computers was translated to DFL's ip: 192.168.0.1.
I hope that it can be configured like the DIR-655 to show the real IP-addresses of the visiting computers.
Tough job?

The other thing not working like my plan is the ssh. I think the error is in my bad configuration of ip-rules. :-(

I'm thankful of all the help I have recieved from Fatman and Davilovav!
Logged

danilovav

  • Level 4 Member
  • ****
  • Posts: 424
  • Alexandr Danilov
Re: Migrate to DFL-210>configuration problem
« Reply #25 on: April 27, 2010, 11:38:21 AM »

To make port mapping (D-NAT) accessible from outside and inside, you should make rules

# external access
SAT wan/all-nets core/wan_ip yourservice (SAT: new dest = yourprivatehost)
Allow wan/all-nets core/wan_ip yourservice
# internal access
SAT lan/lannet core/wan_ip yourservice (SAT: new dest = yourprivatehost)
NAT lan/lannet core/wan_ip yourservice

2nd Allow rule is required to "show" your private host what IP accresses request from outside. But, this (private) host should has DFL as default gateway and local firewall/antivirus configured to not block incoming connections. If it's not possible, change allow to NAT.

If you have same internal host with some services to publish, make service group and use it in rules.
« Last Edit: April 27, 2010, 11:41:05 AM by danilovav »
Logged
BR, Alexandr Danilov

Chilleboy

  • Level 1 Member
  • *
  • Posts: 23
Re: Migrate to DFL-210>configuration problem
« Reply #26 on: April 27, 2010, 01:57:16 PM »

To make port mapping (D-NAT) accessible from outside and inside, you should make rules

# external access
SAT wan/all-nets core/wan_ip yourservice (SAT: new dest = yourprivatehost)
Allow wan/all-nets core/wan_ip yourservice
# internal access
SAT lan/lannet core/wan_ip yourservice (SAT: new dest = yourprivatehost)
NAT lan/lannet core/wan_ip yourservice

2nd Allow rule is required to "show" your private host what IP accresses request from outside. But, this (private) host should has DFL as default gateway and local firewall/antivirus configured to not block incoming connections. If it's not possible, change allow to NAT.

If you have same internal host with some services to publish, make service group and use it in rules.

Thanks!
I'll try this settings!
Guess I must remove the other IP-rules already configured for the HTTP if I made a servicegroup that contains HTTP + other services?
Logged

danilovav

  • Level 4 Member
  • ****
  • Posts: 424
  • Alexandr Danilov
Re: Migrate to DFL-210>configuration problem
« Reply #27 on: April 27, 2010, 07:10:08 PM »

Yes, from wan_to_lan and mail_config
Logged
BR, Alexandr Danilov

Chilleboy

  • Level 1 Member
  • *
  • Posts: 23
Re: Migrate to DFL-210>configuration problem
« Reply #28 on: April 28, 2010, 02:50:33 AM »

Great Danilovav!
Now is the IP correct for the visiting computers! :)

Still the problem persists with the rules for connecting with a mail-client (Mac Mail and Outlook PC).
Logged

danilovav

  • Level 4 Member
  • ****
  • Posts: 424
  • Alexandr Danilov
Re: Migrate to DFL-210>configuration problem
« Reply #29 on: April 28, 2010, 10:23:14 AM »

For port mapping (publishing your servers)

As i undestood, you want to access HTTP/HTTPS/IMAP from outside by standart ports and SSH by non-standart. So...

1) Objects > Services
Make service ssh-xxx00 with destination port xxx00
Make service groups ext_mail_server with imap, pop3, smtp (all services what you need) and ssh-xxx00
Do the same for web servers (group ext_web_server)

2) Rules > IP rules
# mail server
SAT wan/all-nets core/wan_ip ssh-xxx00 (SAT: new dest = lan_mail_server, new port = 22)
SAT wan/all-nets core/wan_ip ext_mail_server (SAT: new dest = lan_mail_server)
Allow wan/all-nets core/wan_ip ext_mail_server
# web server
SAT wan/all-nets core/wan_ip ssh-xxx02 (SAT: new dest = lan_web_server, new port = 22)
SAT wan/all-nets core/wan_ip ext_web_server (SAT: new dest = lan_web_server)
Allow wan/all-nets core/wan_ip ext_web_server

If you want to have access from internal network (LAN) to wan published services, make additional rules

# mail server
SAT lan/lannet core/wan_ip ssh-xxx00 (SAT: new dest = lan_mail_server, new port = 22)
SAT lan/lannet core/wan_ip ext_mail_server (SAT: new dest = lan_mail_server)
NAT lan/lannet core/wan_ip ext_mail_server
# web server
SAT lan/lannet core/wan_ip ssh-xxx02 (SAT: new dest = lan_web_server, new port = 22)
SAT lan/lannet core/wan_ip ext_web_server (SAT: new dest = lan_web_server)
NAT lan/lannet core/wan_ip ext_web_server
Logged
BR, Alexandr Danilov
Pages: 1 [2] 3