D-Link Forums

The Graveyard - Products No Longer Supported => D-Link NetDefend Firewalls => Topic started by: gcgiuser on September 13, 2010, 01:51:39 AM

Title: LAN firewall for DFL 210
Post by: gcgiuser on September 13, 2010, 01:51:39 AM

Hello,

My scenario is to protect one pc server which contains online operational data running on CITECT software from all the other computers in the LAN. Traffic is inbound and outbound. Do I connect the server to one of the LAN ports and then another LAN port to the network switch? Or do I use WAN or DMZ? Another problem is that our LAN has different subnets/segments:  one using 192.168.0.xxx/24, another using 172.24.xxx.xxx/16 (under domain server)  and another using 165.158.157.xxx/24.  How do I configure these? Just please give general idea on how to do this as I have been reading the manual but can't seem to hit the jackpot under this circumstance. Any help would be greatly appreciated.

Title: Re: LAN firewall for DFL 210
Post by: danilovav on September 13, 2010, 08:02:27 PM

To protect your server with CITECT you can move it into DMZ with transparent mode to LAN (if you need to get it address from one of LAN subnets).

Additional LAN subnets can be added by
1) Objects > Address book > InterfaceAddresses
Add
lan_172_ip=172.24.0.1
lan_172_net=172.24.0.0/16
2) Interfaces > ARP
Add ARP publish of lan_172_ip to LAN
3) Routing > Routing tables > main
Add routes (interface, network, metric)
core lan_172_ip 0
lan lan_172_net 100 (metric same as for lan/lannet)
4) Make sufficient IP rules, like
Allow lan/lannet lan/lan_172_net all_services
Allow lan/lan_172_net lan/lannet all_services

Title: Re: LAN firewall for DFL 210
Post by: gcgiuser on September 14, 2010, 01:57:50 AM

Hi Mr. Danilov, thanks for the immediate reply.

When you say move server to DMZ with transparent mode to LAN, do you mean just check the Enable transparent mode box when configuring the DMZ interface? and do i need to have the same subnet for my server and the dmz? my current server ip is 165.158.157.12 while my dmz_ip is 165.178.0.1, dmznet is 165.178.0.0/24.  When setting IP rules is the allow rule sufficient in my LAN with server at DMZ? Thanks again and more power!

Title: Re: LAN firewall for DFL 210
Post by: danilovav on September 14, 2010, 11:19:21 AM

Do you need dmznet 165.178.0.0/24 ? Can you replace it by lannet ?
Transparent mode - yes, i mean enablink of checkboxes. Also, you need to set similar nets and ips of lan and dmz and make allow rules.

Title: Re: LAN firewall for DFL 210
Post by: gcgiuser on September 26, 2010, 11:19:51 PM

Hi Mr. Danilov,

The reason I assigned a separate subnet for my server and likewise dmznet where I connect my server from all the other subnet in the lan - is to protect my server. Here are my settings:

dmz_ip  165.158.157.4
dmznet  165.158.157.0/24
server ip  165.158.157.12

lan_ip  192.168.0.170
lannet  192.168.0.0/16

lan_172_ip   172.24.25.170
lan_172_net  172.24.0.0/16

I enable transparent mode at dmz interface setting as you have said.
Added  ARP publish of lan_172_ip to lan, routed lan_172_ip then made sufficient rules such as lan/lannet  lan/lan_172_net all_services and vice versa.  I made my dfl ips as gateway of other computers in the lan.

Problem:  the server could not ping some computers, and all computers could not ping dmz_ip.

Please help.