D-Link Forums

The Graveyard - Products No Longer Supported => D-Link NetDefend Firewalls => Topic started by: danw69 on July 24, 2010, 09:24:09 AM

Title: DFL-1600 with 2 wans and port mapping
Post by: danw69 on July 24, 2010, 09:24:09 AM

Hi,

We already have WAN1 set up for incoming/outgoing traffic, and with port mapping working properly.

Now we need to connect WAN2 for another subnet of public IPs.
I have been reading on various similar topics, namely
 http://forums.dlink.com/index.php?topic=7888.0
 http://forums.dlink.com/index.php?topic=9104.0
 http://forums.dlink.com/index.php?topic=11472.0
and have tried to set up everything accordingly.

I can connect to the actual WAN2 interface IP (port mapped to an LAN1 server), but the port mappings for any other IP on the WAN2 subnet fail, with the following log message:
  Category/ID: RULE 6000051
  Rule: Default_Access_Rule
  Event/Action: ruleset_drop_packet drop

What on earth am I doing wrong???
Any help is greatly appreciated.

Btw, here's my setup:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Routing table Wan2ReturnTraffic for WAN2, of Default ordering:

Code: [Select]

Route  wan2  all-nets  wan2-gw      10  No
And Routing Rules:

Code: [Select]

1  ReturnRouteWAN2  wan2  all-nets  core  wan2net  all_services
And IP Rules:

Code: [Select]

1  SAT_ssh_otherIP  SAT  wan2  all-nets  core  otherIP  ssh
2  SAT-ssh-wan2_ip  SAT  wan2  all-nets  core  wan2_ip  ssh
3 allow-ssh-wan2_ip Allow any   all-nets wan2 wan2_ip ssh
4 allow_ssh_otherIP Allow any   all-nets wan2 otherIP ssh
5 NAT-ssh-wan2_ip NAT   wan2 all-nets core   wan2_ip ssh
6 NAT_ssh_otherIP NAT   wan2 all-nets core   otherIP ssh
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Regards,
Dan

Title: Re: DFL-1600 with 2 wans and port mapping
Post by: danilovav on July 24, 2010, 11:03:09 PM

Change your routing rule to wan2/all-nets any/all-nets, and check - forward table should be main, return - Wan2ReturnTraffic.

And... Your NAT rules are not working. What do you want to do by it?

Title: Re: DFL-1600 with 2 wans and port mapping
Post by: danw69 on July 25, 2010, 02:44:04 AM

Thanks for your help Danilov,
I made the changes you suggested to the routing rule, but it still doesn't quite work. However, there's a another log message, apparently the allow is OK, but the SAT port map is not being applied:

Code: [Select]

Category/ID: TCP_OPT 3400019
Rule:
Src/DstIf: wan2/wan2
Event/Action: mismatching_tcp_window_scale / adjust

Category/ID: CONN 600001
Rule: allow_ssh_fe6-pub-w2
Src/DstIf: wan2/wan2
Event/Action: conn_open

Routing Rule:

Code: [Select]

Name: ReturnRouteWAN2
Forward Table: main
Return Table: Wan2ReturnTraffic
Service: all services
Schedule: none
Source interface: wan2
Source Network: all-nets
Destination interface: any
Destination Network: all-nets

About the NAT rule, it doesn't seem to work without them, not even going in to wan2_ip port mapped server...

Any idea?
Regards
Dan

Title: Re: DFL-1600 with 2 wans and port mapping
Post by: danilovav on July 25, 2010, 12:47:38 PM

Eeee.... Your Allow rules are wrong. It shoud have same source/destination with SAT - e.g. wan2      all-nets      core      wan2_ip

Title: Re: DFL-1600 with 2 wans and port mapping
Post by: danw69 on July 25, 2010, 03:46:34 PM

Doesn't help (and in fact I had already tested that)...

Let me explain again what I am trying to do;
  On wan1 we have a public subnet 1 which we port map to various ip:s on lan1. I have several groups of IP rules handling all this. This works.
  Now we have another public subnet 2 on wan2, which we need to map to some other lan1 ip:s.
This last thing is what is failing, I am only capable of mapping the actual wan2_ip (i.e. the interface ip) to an internal lan1 ip, but not any other of the ip:s of the subnet.

I have published the ip:s in the arp table, and the wan2 ethernet is setup as wan1 (but with wan2 ip, gw and net), and they both have "Add route for interface network" checked. All my other IP rules refer to interface wan1 and the ip:s on subnet 1, so they shouldn't interfere.

What else should I look for?
Regards,
Dan

Title: Re: DFL-1600 with 2 wans and port mapping
Post by: danw69 on July 25, 2010, 11:40:18 PM

Update:
I removed the SAT and Allow rules for the wan2_ip, and changed the other ones to any/all-nets + wan2 /wan2-ip1 and simsalabim, it works. I also added another port map (wan2-ip2), which also works.

I suspect the previous default_access_rule error had to do with the wan2_ip sort of "hiding" the other ip rules. Does this make sense?

So now my IP rules look like this:

Code: [Select]

1   SAT_ssh_wan2-ip1   SAT    any   all-nets   wan2   wan2-ip1   ssh
2   allow_ssh_wan2-ip1 Allow  any   all-nets   wan2   wan2-ip1   ssh
3   SAT_ssh_wan2-ip2   SAT    any   all-nets   wan2   wan2-ip2   ssh
4   allow_ssh_wan2-ip2 Allow  any   all-nets   wan2   wan2-ip2   ssh

Routing Table (apart from main):

Code: [Select]

Wan2ReturnTraffic (Ordering: Default, Remove interface IP routes: No)
1  Route  wan2  all-nets  wan2-gw      10  No

Routing Rules

Code: [Select]

Name: ReturnRouteWAN2 
Fwd: main
Return: Wan2ReturnTraffic
Service: all_services
Source: wan2/all-nets
Destination: any/all-nets

Hope it helps anyone struggling with the same issues.
Thanks for all the help Danilov!
Regards,
Dan