D-Link Forums

The Graveyard - Products No Longer Supported => D-Link NetDefend Firewalls => Topic started by: gnug on August 03, 2010, 05:08:58 AM

Title: Keeping an old network behind the DFL
Post by: gnug on August 03, 2010, 05:08:58 AM

Hi all, to start of I want to say that these forums are very helpful! Got so much information from them... :)

But I can't get something to work. I am trying to implement the DFL800 in an existing network. I want to keep the old network alive behind the DFL and then start building the new network. The situation now is as followed;
1 Public IP get forwarded to a simple router, this has NAT setting for different servers.

What I want to have working in the future is; 3 Public IP addresses, 1 gets forwarded to the old network, the 2 others get forwarded to the new networks.

I managed to bind the 3 ip's to WAN1 by following the FAQ, that seems to be working.

To keep the old network exactly like it is now, I want to just move the router and everything behind it behind the DFL. So we get modem->DFL->router->oldnetwork. But I can't seem to get everything forwarded properly. These are my settings (changed the ip's);
wan1_ip: 192.168.1.49
wan1_net: 192.168.1.0/24
wan1_gw: 192.168.1.53
dmz_ip: 192.168.1.254
dmz_net: 192.168.1.0/24
router_ip: 192.168.1.50
I made a routing table with (interface/network/gw/local/metric) dmz/dmznet/wan1_gw/dmz_ip/80
and an IP rule with Allow/all_services (source interface/network destination interface/network) wan1/wan1net dmz/dmznet

But in my test situation it doesn't seem to work, with pings I can't reach dmz from wan1 or wan1 from dmz :| am I doing it wrong or did I make a mistake? With the allow/all services it should just forward everything so we can still use the NAT of the old router, right? From an outside view everything should be the same.

edit; added some extra info

Title: Re: Keeping an old network behind the DFL
Post by: danilovav on August 03, 2010, 07:27:44 PM

Please make a schema... Including intreface names and IP addresses.

Title: Re: Keeping an old network behind the DFL
Post by: gnug on August 04, 2010, 08:27:42 PM

Hi danilovav, I've been trying to get it all to work but with no succes. To keep the old network running as it is, I want to just put the router and the whole network behind it in the dmz port and forward all traffic from one of the public IP's. The two other IP's I want to have forwarded to seperate vlan's.
I've made a drawing of the situation, sorry about the paint-quality - I don't have visio or my diagrams on this box. :)

http://img514.imageshack.us/img514/3125/drawingr.png (http://img514.imageshack.us/img514/3125/drawingr.png)

Settings that I have until now are;

 dmz_ip     172.16.1.254           IPAddress of interface dmz
 dmz_router    172.16.1.2         
 dmznet    172.16.1.0/24         The network on interface dmz
 lan_ip    192.168.1.1         IPAddress of interface lan
 lannet    192.168.1.0/24         The network on interface lan
 wan1_br    *.*.196.255         Broadcast address for interface wan1.
 wan1_dns1    0.0.0.0         Primary DNS server for interface wan1.
 wan1_dns2    0.0.0.0         Secondary DNS server for interface wan1.
 wan1_gw    *.*.196.53         Default gateway for interface wan1.
 wan1_ip    *.*.196.49         IPAddress of interface wan1
 wan1_ip2    *.*.197.32         
 wan1_ip2_gw    *.*.197.33         
 wan1_ip3    *.*.198.52         
 wan1_ip3_gw    *.*.198.53         
 wan1net    *.*.196.0/24         The network on interface wan1
 wan2_ip    192.168.120.254         IPAddress of interface wan2
 wan2net    192.168.120.0/24         The network on interface wan2

Under IP rules;
3      wan_to_dmz     SAT      wan1      all-nets      core      wan1_ip      all_services
4     router_allow    Allow     wan1     all-nets     core     wan1_ip     all_services
5     dmz_to_wan    NAT     dmz     dmznet     wan1     all-nets     all_services

ARP;
 Publish      wan1      wan1_ip2      00-00-00-00-00-00     
 Publish     wan1     wan1_ip3     00-00-00-00-00-00

Routing table;
 Route      core      wan1_ip2                 1     No     
 Route     core     wan1_ip3              1    No    
 Route     wan1     wan1net              100    No    Direct route for network InterfaceAddresses.AddressFolder/wan1net over interface wan1.
 Route     wan1     all-nets     wan1_gw         100    No    Default route over interface wan1.
 Route     wan2     wan2net              100    No    Direct route for network InterfaceAddresses.AddressFolder/wan2net over interface wan2.
 Route     dmz     dmznet              100    No    Direct route for network InterfaceAddresses.AddressFolder/dmznet over interface dmz.
 Route     lan     lannet              100    No    Direct route for network InterfaceAddresses.AddressFolder/lannet over interface lan.


As you can see, I haven't even started with vlans as I am stuck here - I can't even ping from outside to the "router" in my test-situation :/

Title: Re: Keeping an old network behind the DFL
Post by: danilovav on August 05, 2010, 07:42:40 PM

Everything seems correct...
When you try to ping router in DMZ from outside, check Status > Connections and Status > Logging - to where packets go?

For NAT (from VLANs to WAN1) don't remember make separate NAT rules with setting correct sender IP (wan1_ip2/3)

Title: Re: Keeping an old network behind the DFL
Post by: gnug on August 07, 2010, 03:59:07 PM

Yeah, thanks for checking danilovav :) really appreciate it. I was going to post the whole config with setup here seeing I got it working in my test-situation and people could check my config if they are in a similar situation. Unfortunately, I wanted to implement the DFL today and ... it's bricked. Worked perfect last night, moved it to the office and it doesn't work anymore. Can't get on the interface, reset doesn't work, console doesn't work. (of course when you're standing next to your boss).

So, we'll never know if it would've worked in the live-sitation seeing the warranty is over-due. I want to thank you anyway for trying to help!