• December 02, 2020, 05:27:58 AM
  • Welcome, Guest
Please login or register.

Login with username, password and session length
Advanced search  

News:

This Forum Beta is ONLY for registered owners of D-Link products in the USA for which we have created boards at this time.

Author Topic: DIR-855 behind a firewall  (Read 10401 times)

zEnterHacker

  • Level 1 Member
  • *
  • Posts: 9
DIR-855 behind a firewall
« on: May 04, 2009, 04:44:18 AM »

Hi,

Before I go on with this I have som small questions:

I would like to use the Wireless Guest Network of a DIR-855 to enable internet connection for guest users. I do not what guest users to have any LAN access at all. I also have a NetDefend DFL-800 firewall with WAN, LAN and a single "DMZ" interface only allowing internet traffic. No servers exists on the "DMZ" and I plan to connect the LAN switch of the DIR-855 together with the LAN interface of the firewall so that secure wireless clients get full LAN access.

I know the DIR-855 manual says otherwise but:
Is it possible to connect the WAN interface of DIR-855 to the "DMZ" interface of the DFL-800 firewall and route guest network packages through the "DMZ" to the internet? or is this a dead end...

If possible - what rules/settings should I attend in DIR-855 and if relevant, in the firewall?

Best regards
zEnterHacker
Logged

Lycan

  • Administrator
  • Level 15 Member
  • *
  • Posts: 5335
Re: DIR-855 behind a firewall
« Reply #1 on: May 04, 2009, 09:22:41 AM »

Well you're in the wrong board first. You're asking for config help with a DFL-800.
Post that here.
http://forums.dlink.com/index.php?board=231.0

Second the 855's guest zone wireless is already segregated from the WLAN/LAN. The DFL-800 is unnecessary.
Logged

zEnterHacker

  • Level 1 Member
  • *
  • Posts: 9
Re: DIR-855 behind a firewall
« Reply #2 on: May 04, 2009, 10:26:18 AM »

Hi,

Thanks for the preliminary answer.

I don't think I'm in the wrong forum. The manual of the DIR-855 clearly states that I should not use WAN to connect to another router/firewall - I should use one of the LAN ports. If I do that I don't see how a separate isolated Guest network can be created.

In my setup I need the firewall for other purposes. Therefore I still need to know if I can connect the DIR-855 WAN interface to the firewall and in this way separate the wireless guest net from the DIR-855 LAN switch.

If there are certain settings in the DIR-855 that makes this possible I would like to be informed. I'll figure out the rules for the firewall myself!

Thanks!
zEnterHacker
Logged

Fatman

  • Level 9 Member
  • ****
  • Posts: 1675
Re: DIR-855 behind a firewall
« Reply #3 on: May 04, 2009, 10:40:05 AM »

Unfortunately I do not believe this will be possible, the wireless guest network is not routable through the LAN for obvious reasons and after it leaves the WAN it would be protected by NAT.

Your best bet is to hook the DIR's LAN to the LAN or DMZ of your DFL and then hook the WAN of your DIR to it also, however this would leave your wireless clients double NAT'ed.  If you have 2 public IPs then we can talk about preventing double NAT.
Logged
non progredi est regredi

zEnterHacker

  • Level 1 Member
  • *
  • Posts: 9
Re: DIR-855 behind a firewall
« Reply #4 on: May 06, 2009, 04:27:13 AM »

Small additional question / comment:

It looks to me as if I disable the DIR-855 DHCP server then I hereby totally kill the Guest Zone functionallity. This is not very obvious from the manual nor very flexible!

In the above scenario Wireless Guests cannot obtain a valid IP address via DHCP - not from a LAN connected DHCP server nor from a WAN connected DHCP server....

 - Unless of course some smart port forwarding DHCP Relay Rule could route Wireless Guest DHCP calls to an external LAN or WAN based DHCP server IP address ???

 - Unless the DIR-855 had provided means for keeping the DHCP server active in the Guest Zone while being disabled for both LAN and normal wireless clients ???

I guess the last suggestion would make most sense hereby keeping a clear separation between Guest Zone and LAN.

Any hints to obtain DHCP controlled IP addresses in the Guest Zone with a disabled DIR-855 DHCP server ???

Regards
zEnterHacker


« Last Edit: May 06, 2009, 06:38:48 AM by zEnterHacker »
Logged

Fatman

  • Level 9 Member
  • ****
  • Posts: 1675
Re: DIR-855 behind a firewall
« Reply #5 on: May 06, 2009, 08:30:20 AM »

This is one for someone who knows our home class products better, last time I logged into a DIR (in my case the last one was a DIR-655) for longer than it took to screenshot the version number on the login page we didn't have any products with that feature.

That said I would be somewhat surprised if your conclusion is incorrect.  To be blunt you are not exactly using these devices as intended if you use them together.  I would have suggested dropping the 855 and getting a DAP-2590, which would allow selectable 2.4/5Ghz and have true wireless VLANing instead of guest mode.

*** Modified by Fatman because of an accidental double negative and loose product association.
« Last Edit: May 06, 2009, 09:48:40 AM by Fatman »
Logged
non progredi est regredi

zEnterHacker

  • Level 1 Member
  • *
  • Posts: 9
Re: DIR-855 behind a firewall
« Reply #6 on: May 06, 2009, 09:40:08 AM »

Hi,

I have to disagree with you on the intended use. I'm using the DIR-855 as instructed in the manual for router to router connection. This means I connect the DIR-LAN to ROUTER-LAN and everything works as expected - well apart from one important feature - the Guest Zone!

When I glance over the advanced port forwards, ALG etc - I guess we are not only talking home user environment here - I mean someone at D-Link knew that "router to router" was an issue worth mentioning in the manual, but surely they forgot to mention that this effectively kills the Guest Zone functionality.

I'm trying to create a DHCP relay ALG (UDP trigger port 67 - UPD firewall port 68) but I have not been yet been successfull - any comments would be appreciated.

Best regards
zEnterHacker
Logged

Fatman

  • Level 9 Member
  • ****
  • Posts: 1675
Re: DIR-855 behind a firewall
« Reply #7 on: May 06, 2009, 09:42:56 AM »

Wow, I am going to have to pretend that last post of mine didn't happen.  It is going to be substantially edited to make a little more sense.  I am leaving this second post acknowledging the change because it would effect the flow of the thread not to have this marker.  Suffice it to say the double negative was unintentional.
Logged
non progredi est regredi

Lycan

  • Administrator
  • Level 15 Member
  • *
  • Posts: 5335
Re: DIR-855 behind a firewall
« Reply #8 on: May 06, 2009, 09:55:08 AM »

Lets see if we can sort this out.
The guest mode is vlan'd from the rest of the LAN. That means if you do not use the WAN port of the router the guest modes that are connected to it will go no where.

Now if you simply want to use the 855 as an access point, you'll need to disable the DHCP server and ensure that the LAN address falls within the subnet of the DFL's LAN interface.

That being said, the 855 is not intended for this and a DAP-2590 would work much better, as it supports VLANs and can host multiple SSID's in that VLAN.

The mention of router to router is for AP use only or a double NAT environment. Of COURSE guest ZONE wouldn't work, how could it it's segregated from the LAN by a VLAN. It's only destination is the WAN port.

The router to router mention was included for customers that purchased this device and have PPPoAtm for example, where their modem HAS to act as the NAt because out routers don't support PPPoA.
Like I said the unit will function as an AP, but the ALG's QoS and all the other fun features inc. guest zone can not be used.

Logged

zEnterHacker

  • Level 1 Member
  • *
  • Posts: 9
Re: DIR-855 behind a firewall
« Reply #9 on: May 06, 2009, 01:11:28 PM »

Hi - sorry for being a drag.

Quote: "Of COURSE guest ZONE wouldn't work, how could it it's segregated from the LAN by a VLAN. It's only destination is the WAN port."

Exactly!  - and I only want the Guest Zone to address the WAN port! That's why You should be able to control if the DIR-855 DHCP server should work only in the Guest Zone and/or in the LAN zone. This way a user could, regardless of the setting of the LAN DHCP server configuration, still use the WAN port to carry unsecure "Guest Zone traffic" while still maintaining full security for approved Wireless/LAN clients.

In order not keep on arguing about what is the intended use of this product I would like to propose an extra tick box in the DHCP SERVER SETTINGS in the NETWORK SETTINGS page:

    Enable DHCP Server for LAN:             [  ]
    Enable DHCP Server for GUEST ZONE: [  ]

I hope this can be implemented into a future firmware in order to make the DIR-855 more flexible - thanks in advance.

FYI: I have given up on the Guest Zone and reverted back to the standard AP setup. I'm simply unable to route packages from the Guest Zone to the WAN port without the help of a DHCP server. However I would still be interested in case someone found a solution to this problem  ::)

Thank you both for your attention.

Regards
zEnterHacker
Logged

Lycan

  • Administrator
  • Level 15 Member
  • *
  • Posts: 5335
Re: DIR-855 behind a firewall
« Reply #10 on: May 06, 2009, 01:44:04 PM »

It's a HOME CLASS ROUTER. Hence it's not intended for this type of deployment.
Logged