D-Link Forums

The Graveyard - Products No Longer Supported => D-Link NetDefend Firewalls => Topic started by: andqui on April 19, 2010, 01:15:17 AM

Title: DFL-800: Configure WAN1 and WAN2 when using DHCP
Post by: andqui on April 19, 2010, 01:15:17 AM

Hi,

I am trying to make both wan interfaces work om my DFL-800 the way I want - respond to port forwarded traffic on allowed ports on both wan interfaces. As it is now I can only get WAN1 to respond in the manor that I would like to.

First an explanation of the context: WAN1 and WAN2 both receive their IP settings via DHCP. My ISP allows me to be able to receive up to five IP-adresses this way and the interfaces usually will have the same gateway and subnets (wan1_gw and wan2_gw are the same) but that is not something that I will take for granted.

The setup I am trying is the classic "drawkcaB routing table" approach and treat it as I have statically assigned ip:s on WAN1 and WAN2 and different ISPs.

Routing table wan2:

Interface	Network	Gateway	Local IP address	Metric
wan2	wan2net			100
wan2	all-nets	wan2_gw		100

Routing Rule wan2_routing:

#	Name	Source interface	Source network	Destination interface	Destination network	Service
1	wan2_routing	wan2	all-nets	core	wan2_ip	all_tcpudpicmp

Forward Table: main
Return Table: wan2 (routing table above)

My main table looks like this:

Interface	Network	Gateway	Local IP address	Metric	Monitor this route
wan1	wan1net			100	No
wan1	all-nets	wan1_gw		100	No
dmz	dmznet			100	No
lan	lannet			100	No

I have allow and SAT rules (and a general NAT rule even if I am not sure it has any purpose in this case) for the traffic I would like to be able to resond to on WAN2:

SAT_http_wan2_mail2	SAT	any	all-nets	core	wan2_ip	http
NAT	NAT	lan	lannet	any	all-nets	all_tcpudpicmp
Allow_http_wan2	Allow	any	all-nets	core	wan2_ip	http

When I enable more extensive logging on these rules and try to connect via http on the WAN2 interface there is conn_open entry but then something goes wrong and the connection times out and I am not able to tell what it is (the same server is also SAT:ed on WAN1 and there it works just fine). I have a hunch that it is something with the return traffic that is not working but I can not figure it out.

I have tried many different configs but this is the one that seems most logical. Am I going about this the wrong way? Is there a clear error in my config above? Should this even work? Any pointers will be appreciated since I am about to give up.  :)


Best Regards
Anders

Title: Re: DFL-800: Configure WAN1 and WAN2 when using DHCP
Post by: danilovav on April 19, 2010, 10:27:57 AM

1) You can remote route wan2   wan2net         100 from "wan2" table, it's useless

2) Change PBR rule to
wan2/all-nets any/all-netsall_tcpudpicmp

3) In IP rules, don't use "any". Change rules to
SAT_http_wan2_mail2   SAT   wan/all-nets   core/wan2_ip    http
Allow_http_wan2   Allow   wan/all-nets   core/wan2_ip   http
NAT   NAT   lan/lannet   wan/all-nets   all_tcpudpicmp

PS Better to use all_services instead of all_tcpudpicmp because it includes all IP protocols.

Title: Re: DFL-800: Configure WAN1 and WAN2 when using DHCP
Post by: andqui on April 20, 2010, 12:12:57 AM

Thanks for your tips! Much appreciated!

I tried your suggestions but to no avail. It's still just a conn_open entry in the log and it still times out after a while. I guess I am very close to give up this dream of mine or maybe I will buy a second DFL-800 who knows (I really like the one I have) ;D

About your comments, I felt compelled to respond to them.

Quote

1) You can remote route wan2   wan2net         100 from "wan2" table, it's useless

I have tried both with and without that route and just left it there in case it might do some magic.  ;)

Quote

2) Change PBR rule to
wan2/all-nets any/all-netsall_tcpudpicmp

I tried with all_services as well just to be sure.

Quote

3) In IP rules, don't use "any". Change rules to
SAT_http_wan2_mail2   SAT   wan/all-nets   core/wan2_ip    http
Allow_http_wan2   Allow   wan/all-nets   core/wan2_ip   http
NAT   NAT   lan/lannet   wan/all-nets   all_tcpudpicmp

Do you mean I should use a wan group instead or was just a "2" left out? Anyhow, should this have any bearing on my particular problem except for it being a security issue with the Allow and SAT rule? The NAT rule is a general one meant to cover all interfaces. Can that rule affect the return traffic?

About the all_tcpudpicmp. It used to be all_services but when I upgraded to the latest firmware these were all changed so I thought that there was some intelligence behind this conversion and just decided to keep them.

Title: Re: DFL-800: Configure WAN1 and WAN2 when using DHCP
Post by: Fatman on April 20, 2010, 08:39:52 AM

If you PM me with your config or a way into your unit remotely I will take a look see.

Title: Re: DFL-800: Configure WAN1 and WAN2 when using DHCP
Post by: danilovav on April 20, 2010, 12:00:41 PM

Quote from: andqui on April 20, 2010, 12:12:57 AM

Do you mean I should use a wan group instead or was just a "2" left out? Anyhow, should this have any bearing on my particular problem except for it being a security issue with the Allow and SAT rule? The NAT rule is a general one meant to cover all interfaces. Can that rule affect the return traffic?

Sorry, of cource wan2, not wan.
If you created NAT rule to let back traffic to go, you can remote it - allow is statefull rule, it passed return traffic by authomatically.
Btw, does interkan host has DFL as gateway? Try to change Allow to NAT.