D-Link Forums

The Graveyard - Products No Longer Supported => D-Link NetDefend Firewalls => Topic started by: punkyb on February 28, 2011, 05:45:22 PM

Title: Newbie help routing SSH across networks
Post by: punkyb on February 28, 2011, 05:45:22 PM

Hi

Have set up a DFL 2560 within our network in order to learn the interface and I have already failed at the first hurdle!

I have configured remote management SSH on the lan1 interface and can successfully SSH from within the network (192.168.164.0/24) however I would like to also allow SSH access to this interface from a 192.168.239.0/24 network. Currently the Access Filter is Interface: lan1 Network: all-nets

I understand that the firewall will only allow source IPs that belong to networks routed over that interface however I can't work out how to set up the Access Rules / Routing rules to allow this access. The log result of a SSH attempt triggers the Default_access_rule and ruleset_drop_packet action. I think this means that the routing within the firewall is not correct.

I have setup an Address Book object man239 with the address 192.168.239.0/24. I have an IP Rule that allows all_tcp from Source Interface any, network man239 to Dest Interface lan1, network lan1net. I also have a Routing Rule that is basically the same Src Interface any, network man239 to Dest Interface lan1, network lan1net.

Some direction on how to configure this would be greatly appreciated.

Title: Re: Newbie help routing SSH across networks
Post by: punkyb on March 01, 2011, 07:43:45 PM

Hello

For any interested the solution to this problem is thus -

Create object Lan1_gw = 192.168.164.x

Create route on main lan1 all-nets lan1_gw metric 0

Create IP rule lan1_fwd action: forward fast service all_tcpupdicmp (I'll lock this down later)
                                srcInt: lan1   srcNet: lan1net
                               destInt: lan1   dstNet: all-nets

This setup allows ssh/http etc access to the lan1 interface from a different private subnet. For some reason the lan1 is still not responding to ping (even though I can see the traffic using pcapdump). The IP rule has been placed at the top.

This works however I still a bit stumped as to why - the route makes perfect sense but the Ip rule doesn't seem intuitive. Can anyone give an explanation on how this works?

Thanks