D-Link Forums

The Graveyard - Products No Longer Supported => D-Link NetDefend Firewalls => Topic started by: otrotabi on January 10, 2010, 07:49:42 AM

Title: DFL-210 redirection
Post by: otrotabi on January 10, 2010, 07:49:42 AM

I have some services (particularly a SVN repository server and a ldap server) which I sometimes need to access when I am connected to our local network, and sometimes I need to access when I am outside, home for example.

What I would like to do is to be able to point the software ip address to our internet ip, and I need to create a rule to redirect it to our own server from inside our network.

For example, if internet ip address is 192.136.43.73, I need to point my svn client address to this address no matter where I am working from.

Thanks in advance

Title: Re: DFL-210 redirection
Post by: Fatman on January 11, 2010, 09:16:21 AM

Create a standard port forward, ensuring that you include the LAN in the source interface (default answer is to create an interface group containing lan and wan).

Title: Re: DFL-210 redirection
Post by: otrotabi on January 11, 2010, 11:01:00 AM

Dear Fatman,

Thanks for your help.

I have the  following configured ldap service this way:

Name: ldap
Type: TCP/UDP
Source: 0-65535
Destination: 389
ALG: None

and the following IP rules:

Name: ldap
Action: SAT
Service: ldap
Schedule: None

                   Source          Destination
Interface:       any                core
Network:        all-nets           wan_ip

where wan_ip is our Internet address.

In the SAT tab I have:

Translate the Destination Ip address to New Ip address 192.168.30.30, where 30 is the ldap server ip within our network. New Port is blank.

The other rule is as follows:

Name: ldap
Action: Allow
Service: ldap
Schedule: None

This works when I am outside our network.

Should I create a different rule ? Or should I create a Routing rule ?

Regards

José

Title: Re: DFL-210 redirection
Post by: Fatman on January 11, 2010, 02:36:13 PM

That should be the ticket, though firewalls and SPI engines may be getting in the way.  Try adding a rule between the two you already have that looks like the below.

Action: either NAT or FWD_Fast
Service: ldap
Schedule: None

                   Source          Destination
Interface:       lan                core
Network:        lan-net           wan_ip

Title: Re: DFL-210 redirection
Post by: otrotabi on January 12, 2010, 06:23:40 AM

I tried both rules, either NAT or  FWD_Fast, neither of them works.

I enabled logging for this rules, and here is a copy of the log messages, maybe they mean more to  you than to me.

2010-01-12
06:57:45    Info    CONN
600001    ldap    TCP    lan
lan    192.168.30.25
190.136.44.74    2828
389    conn_open
satdestrule=ldap conn=open

2010-01-12
06:58:46    Info    CONN
600002    ldap    TCP    lan
lan    192.168.30.25
190.136.44.74    2828
389    conn_close
close
conn=close origsent=144 termsent=0

I have exactly the same problem when I try to access our web server, if I point it to our local address, it works fine, but if I point it to the Internet address, it does not work. Maybe it is easier to solve the http problem first, though I guess it´s the same problem everywhere.

Thanks for your help.

José

Title: Re: DFL-210 redirection
Post by: Fatman on January 12, 2010, 09:40:05 AM

This log entry appears to be for an external connection, not one from the LAN to the LAN.

Title: Re: DFL-210 redirection
Post by: otrotabi on January 12, 2010, 10:29:22 AM

However, this is what happens when I am inside the network. Do you happen to know if there are any configuration examples for something like this ? I guess I am not the only one trying to connect to the company´s web server both from the inside and the outside world. I could pick up from there. Thanks.

Title: Re: DFL-210 redirection
Post by: otrotabi on January 12, 2010, 12:52:16 PM

Ok, I have the solution thanks to Technical Support Dlink Latin America.

The trick is to create a NAT rule "in between" the SAT rule and the Allow rule whit these parameters. Beware of the inverted commas because otherwise it won´t work.

                   Source       Destination

Interface        lan               core
Network       all-nets          wan-ip

Thanks for your help.

Title: Re: DFL-210 redirection
Post by: danilovav on January 16, 2010, 10:05:58 PM

If with NAT rule all work, you can disable allow rule - it's useless. It means, your server does not have DFL as default gateway. So, using NAT is just one way, but your server will "see" that all incoming connects maked only by DFL.

Title: Re: DFL-210 redirection
Post by: otrotabi on January 18, 2010, 02:33:43 AM

Thanks for the tip. I am not an experienced user, not in this field at least, so if it works, I think I will just leave it as it is by now. Regards.

Title: Re: DFL-210 redirection
Post by: otrotabi on January 18, 2010, 10:07:40 AM

Ok. Mr Danilovav. It works as you suggested, only the NAT and SAT rules are needed, at least from the inside. When I get back home I will try to connect from the ouside world and see what happens. Are there any security reasons I should be aware of ? Regards.

Title: Re: DFL-210 redirection
Post by: danilovav on January 18, 2010, 10:48:22 AM

As I wrote before - your private host will "see" all connections from DFL. But it's just one way to implement your schema.