D-Link Forums

The Graveyard - Products No Longer Supported => D-Link NetDefend Firewalls => Topic started by: aribic2 on January 19, 2011, 04:20:51 AM

Title: DFL-800 port problems
Post by: aribic2 on January 19, 2011, 04:20:51 AM

Hi all!
First of all i know its a common settings, but i have tried all the manuals i done everything by the book, and tried of the book, but the behavior i get seems strange.

Here is the layout:
(http://img403.imageshack.us/img403/8020/layoutp.jpg) 

Until few days ago there was only adsl1 and everything worked fine. We added adsl2 to take some load of the adsl1.
We need to let some ports in. It is done in the following way :
aDSL1 forwards the port to the to the WAN1 ip, and after that firewall forwards to the needed ip inside LAN.
All incoming connections are handled trough the aDSL1-WAN1.

After adding adsl2 we cant get incoming connections running anymore. The main thing is to get RDP with Server01. If I get this working the other stuff will be the same.
The other problem is that i must allow clients to connect a web application on the Internet using https over port 8443. I tried to create a service on tcp/udp on port 8443 i didn't work. after leaving the same rules and changing to all_tcpudp it works, I'm absolutely sure it works over 8443, but i don't understand why it won't work when i leave only this port.

Config:
(http://img545.imageshack.us/img545/6540/lanw1w2.jpg)
(http://img25.imageshack.us/img25/7782/rmain.jpg)
(http://img251.imageshack.us/img251/1953/rw1j.jpg)
(http://img227.imageshack.us/img227/2432/w1lan.jpg)

any idea is welcomed.

Title: Re: DFL-800 port problems
Post by: silver_surfer30 on January 21, 2011, 01:11:14 PM

you forget to create the routing rules to allow traffic to go through wan1. and the access rule going to wan1

in the r_wan1 routing table add the route for wan1 wan1net and wan2 wan2net

create a access rule to allow all_nets to wan1 in rules/ip rules

then create a routing rule to allow the the traffic you want like this :

name : rdp
forwardrouting table : wan2
return routing table  : r_wan1
service : rdp

source interface : wan1    source network : all-nets
destination interface : wan1  destination network : wan1_ip

repeat for all service you need to sat.

don't forget to create the appropriate sat and nat rules in rules/ip rules

Title: Re: DFL-800 port problems
Post by: aribic2 on January 28, 2011, 01:33:34 AM

Quote from: silver_surfer30 on January 21, 2011, 01:11:14 PM

you forget to create the routing rules to allow traffic to go through wan1. and the access rule going to wan1

in the r_wan1 routing table add the route for wan1 wan1net and wan2 wan2net

create a access rule to allow all_nets to wan1 in rules/ip rules

Thanks for answering.
Can you explain a little more?

now see that I forgot to mention in the opening post that gateways are supposed to be used as follows :
WAN1 - http/s + ftp
WAN2 - smtp,pop3
In case of failure the remaining IF takes both traffics

Title: Re: DFL-800 port problems
Post by: aribic2 on February 07, 2011, 02:33:54 AM

anybody?

Title: Re: DFL-800 port problems
Post by: silver_surfer30 on February 08, 2011, 03:01:40 PM

here is a little scenario based on your config

if you want to fullfil it, you need to have 2 default routes on each routing table with different metric.
routing table main:
lan lannet   100
dmz dmznet 100
wan1 wan1net 100
wan2 wan2net 100
wan1 all-nets wan1gateway 95  (monitor feature enable)
wan2 all-nets wan2gateway 96  (monitor feature enable)


alternate routing table with the ordering first or only and in that new routing table add the following routes:
wan1 wan1net 100
wan2 wan2net 100
wan1 all-net wan1gateway 96 (monitor feature enable)
wan2 all-nets wan2gateway 95 (monitor features enable)

create a interface group with wan1 and wan2

then create a ip rule for all services going via wan1 like this

lan/lannet  wan1-wan2 nat http-all all-nets
doing the same for all other services

then for the services going via wan2 create a routing rule like this

forward table : alternate routing table
return table : main
service : the one you desire

filter
lan/lannet wan1_wan2/all-nets

do not forget to create the appropriate ip rules

Title: Re: DFL-800 port problems
Post by: aribic2 on February 16, 2011, 05:26:14 AM

Thanks on your detailed reply.
I managed to solve almost everything.

I have just this one problem:

There is one web application (in jsp) that needs to be accessed over a following-like url :

https://siteurl.com:8443/sub/index.jsp

I tried to create service group containing http, https and TCP/UDP port 8443

and creating ip, and routing rule like for all other services, but it doesn't work.
In the log it shows that it's being rejected by the "Default_Rule" (don't have a rule with that name so I guess it's reject everything that is not allowed)
When I allow all_tcpudp instead of this custom service all works. (and log shows creating connection under the rules name)

Obviously I'm doing something wrong with creating service/service group?

Title: Re: DFL-800 port problems
Post by: silver_surfer30 on February 19, 2011, 01:19:05 AM

can you paste your rules or just show them please ?
IP rules and routing rules or PM me !!!

Title: Re: DFL-800 port problems
Post by: taubmas on February 28, 2011, 01:10:42 AM

Hi,

We have a DFL-800 setup at one of our schools and have the exact same setup as described above. How did you get it all working? Trying to open ports and port forward/redirection for internal websites as well trying to load balance 2 adsl links. Any ideas? Documentation is really hard to follow.

Thanks

Shane