D-Link Forums
The Graveyard - Products No Longer Supported => D-Link NetDefend Firewalls => Topic started by: mikejh69 on January 10, 2012, 09:28:02 AM
-
sorry if this has allready been covered I have looked through the board and cannot see anyone having the same issue
here goes
I have a dlink dfl260
new out of box yesterday
I have set it up to allow vvpn connections to the l2tp server this works fine (tested by connecting laptop to wan port on same range of ip adresses then browsing local net)
however i am getting a problem connecting to the internet from the lan
lannet 192.168.0.0/24 lan ip is 192.168.0.1
dmz 174.xxx.xxx.xx dmz net 174.x.xx.xxx.0/24
wan net 192.168.1.0/24 wangw 192.168.1.1 wan ip 192.168.1.200
also all-nets is set to 0.0.0.0/0
I can get a responce from anything on the wan net ie 192.168.1.x without any issues
the standard ip filters lan-inet look to be sensible as do the routes
i have been through the user manual to no avail
if i connect to the router on the otherside of the dlink all is good so i know that i have a connection to the net
any ideas would be appreciated
many thanks
mike
-
...... ¿ and .........?
The firewall is configured as transparent mode or no ??
Clients are in the same net as lan net or no ??
Clients have gateway ip as firewall ip or no ??
-
firewall not in transparent mode
clients all on lan net
gate way set to firewall ip address and dns set to lan gateway (dns works )
thanks for comoing back to me
-
Start ping -t from client
Go to Status > Connections - can you see it?
Go to Status > Logs - can you see it?
Did you changed anything in Rules > IP rules > lan_to_wan?
Show Status > Routes
-
Hi:
As I understand, your problem is the internet access from lan.
I need more data about your network topology, but as I can see your clients on the lan net have access to internet by the wan interface, and in the wan interface you have one router that is NATing ports.
In that case you need configure the firewall as transparent mode and configure the lan and wan interfaces of the firewall and the router interface in the same subnet with different ip, and the gateway ip must be the router ip.
If this is not as I tell you please, give more data.
Regards
-
ok network as follows
internal clients on lannet 192.168.0.0/24 lan ip on router 192.168.0.1 net mask 255.255.255.0
forget dmz not in use
one ipsec tunnel working fine connecting on wan interface can browse internal net (it terminates on the dfl260 as l2tp server)
wan 192.168.1.0/24 gw 192.168.1.1 wan interface ip 192.168.1.200
router beyond this is on 192.168.1.1 and if i connect direct to it i can browse net so its not blocking anything
below answers to other qs regarding ping routes etc ect
i appreciate all the assistance
FIN_RCVD TCP lan:192.168.0.99:1730 core:192.168.0.1:443 17
FIN_RCVD TCP lan:192.168.0.99:1731 core:192.168.0.1:443 17
UDP UDP lan:192.168.0.99:58978 wan:192.168.1.1:53 103
UDP UDP lan:192.168.0.99:54021 wan:192.168.1.1:53 27
FIN_RCVD TCP lan:192.168.0.99:1728 core:192.168.0.1:443 17
UDP UDP lan:192.168.0.99:59170 wan:192.168.1.1:53 37
UDP UDP lan:192.168.0.99:64779 wan:192.168.1.1:53 53
TCP_OPEN TCP lan:192.168.0.99:1739 core:192.168.0.1:443 262144
Above is connection table
Routing table contents (max 100 entries)
Flags Network Interface Gateway Local IP Metric
192.168.0.1 core (Iface IP) 0
172.17.100.254 core (Iface IP) 0
192.168.1.2 core (Iface IP) 0
127.0.0.1 core (Iface IP) 0
192.168.1.0/24 wan 100
172.17.100.0/24 dmz 100
192.168.0.0/24 lan 100
224.0.0.0/4 core (Iface IP) 0
0.0.0.0/0 ipsec-tunnel 90
0.0.0.0/0 wan 192.168.1.1 100
In the "Flags" field of the routing tables, the following letters are used:
O: Learned via OSPF X: Route is Disabled
Now ip rules
And routes
1
drop_smb-all
Drop
lan
lannet
wan
all-nets
smb-all
2
allow_ping-outbound
NAT
lan
lannet
wan
all-nets
ping-outbound
3
allow_ftp-passthrough_av
NAT lan
lannet
wan
all-nets
ftp-passthrough-av
4
allow_standard
NAT lan
lannet
wan
all-nets
all_tcpudp
Type
Interface
Network
Gateway
Local IP address
Metric
Monitor this route
Comments
Route
ipsec-tunnel
all-nets
90 No Direct route for network all-nets over interface ipsec-tunnel.
Route
wan
wannet
100 No Direct route for network wannet over interface wan.
Route
wan
all-nets
wan_gw
100 No Default route over interface wan.
Route
dmz
dmznet
100 No Direct route for network dmznet over interface dmz.
Route
lan
lannet
100 No Direct route for network lannet over interface lan.
Right-click on a row for further options.
Logging
Next 100 >>
Date Severity Category/ID Rule Proto Src/DstIf Src/DstIP Src/DstPort Event/Action
2012-01-11
09:53:18 Warning RULE
6000051 Default_Rule TCP lan 192.168.0.99
199.47.218.148 2052
80 ruleset_drop_packet
drop
ipdatalen=28 tcphdrlen=28 syn=1
2012-01-11
09:53:16 Warning RULE
6000051 Default_Rule ICMP lan 192.168.0.99
209.85.229.94 ruleset_drop_packet
drop
ipdatalen=40 icmptype=ECHO_REQUEST echoid=768 echoseq=2560
2012-01-11
09:53:15 Warning RULE
6000051 Default_Rule TCP lan 192.168.0.99
199.47.218.148 2052
80 ruleset_drop_packet
drop
ipdatalen=28 tcphdrlen=28 syn=1
2012-01-11
09:53:14 Warning RULE
6000051 Default_Rule TCP lan 192.168.0.99
199.47.218.148 2051
80 ruleset_drop_packet
drop
ipdatalen=28 tcphdrlen=28 syn=1
2012-01-11
09:53:11 Warning RULE
6000051 Default_Rule ICMP lan 192.168.0.99
209.85.229.94 ruleset_drop_packet
drop
-
ok i have tried
1 set both wan and lan interface to transparent
wan ip range 192.168.1.0/24 wan ip 192.168.1.254 wan gateway 192.168.1.1
lan net 192.168.1.0/24 lan ip 192.168.1.253
the router ip of the second router is 192.168,1,1
transparent mode set on both lan and wan interhaces
lggomg says
Next 100 >>
Date Severity Category/ID Rule Proto Src/DstIf Src/DstIP Src/DstPort Event/Action
2012-01-11
14:12:22 Warning RULE
6000051 Default_Rule TCP lan
192.168.1.99
199.47.218.148 3807
80 ruleset_drop_packet
drop
ipdatalen=28 tcphdrlen=28 syn=1
2012-01-11
14:12:22 Warning RULE
6000051 Default_Rule TCP lan
192.168.1.99
199.59.149.198 3806
80 ruleset_drop_packet
drop
ipdatalen=28 tcphdrlen=28 syn=1
2012-01-11
14:12:21 Warning RULE
6000051 Default_Rule TCP lan
192.168.1.99
199.47.218.148 3803
80 ruleset_drop_packet
drop
ipdatalen=28 tcphdrlen=28 syn=1
2012-01-11
14:12:19 Warning RULE
6000051 Default_Rule ICMP lan
192.168.1.99
209.85.229.94
ruleset_drop_packet
drop
ipdatalen=40 icmptype=ECHO_REQUEST echoid=768 echoseq=7168
2012-01-11
14:12:19 Warning RULE
6000051 Default_Rule TCP lan
192.168.1.99
199.59.149.198 3806
80 ruleset_drop_packet
drop
ipdatalen=28 tcphdrlen=28 syn=1
2012-01-11
14:12:18 Warning RULE
6000051 Default_Rule TCP lan
192.168.1.99
173.194.34.105 3800
443 ruleset_drop_packet
drop
ipdatalen=28 tcphdrlen=28 syn=1
2012-01-11
14:12:18 Warning RULE
6000051 Default_Rule TCP lan
192.168.1.99
213.199.177.155 3805
443 ruleset_drop_packet
drop
ipdatalen=28 tcphdrlen=28 syn=1
2012-01-11
14:12:18 Warning RULE
6000051 Default_Rule TCP lan
192.168.1.99
213.199.177.155 3804Flags Network Interface Gateway Local IP Metric
D 192.168.1.1 wan 100
D 192.168.1.99 lan 100
D 192.168.1.5 wan 100
D 192.168.1.7 wan 100
192.168.1.254 core (Iface IP) 0
172.17.100.254 core (Iface IP) 0
192.168.1.253 core (Iface IP) 0
127.0.0.1 core (Iface IP) 0
172.17.100.0/24 dmz 100
192.168.1.0/24 switched 100
192.168.1.0/24 switched 100
224.0.0.0/4 core (Iface IP) 0
0.0.0.0/0 ipsec-tunnel 90
0.0.0.0/0 wan 192.168.1.1 100
connection as State Proto Source Destination Timeout
UDP UDP core:0.0.0.0:0 core:192.168.1.254:1701 4
UDP UDP lan:192.168.1.99:55473 wan:192.168.1.1:53 85
UDP UDP wan:85.255.209.109:500 core:192.168.1.253:500 4
UDP UDP wan:85.11.194.39:500 core:192.168.1.253:500 4
UDP UDP wan:202.152.177.32:500 core:192.168.1.253:500 13
UDP UDP lan:192.168.1.99:65054 wan:192.168.1.1:53 33
UDP UDP lan:192.168.1.99:63523 wan:192.168.1.1:53 112
TCP_OPEN TCP lan:192.168.1.99:4089 core:192.168.1.254:443 262144
ping resolves name to ip but still mno web acesss or ping help
443 ruleset_drop_packet
drop
routes show as
-
er iy looks like it could be the rules as the loigging say drop packet ruleset 600051 default rule
cant find it any where HELP :-[
-
lan ip on router 192.168.0.1 net mask 255.255.255.0
...............
wan 192.168.1.0/24 gw 192.168.1.1 wan interface ip 192.168.1.200
router beyond this is on 192.168.1.1 and
Two routers??
One suggestion:
forget vpn tunnels first.
Try first to give internet access to your clients and after that try VPNs.
Be clear with the device that give you access to internet and configure the firewall according to the that device.
- Transparent mode is used when you have one xDSL router NATing ports.
- Non transparent mode is used for modems such as cable modems, and in that case, wan parameters are provided by your ISP by fixed IP or by DHCP.
Regards
-
thats what i have sorry its and adsl router forwarding everything every where
and the vpn tunnels work nicely inbound
at a loss as to why this wont allow web traffic outbound as the rule says to but the logs say drop grrrr
-
think i will reset to mfactory defaults and start again
will the box allow web gtraffic out by default ?
-
think i will reset to mfactory defaults and start again
will the box allow web gtraffic out by default ?
Yes, you will get it, but you must to configure your firewall (LAN interface, WAN interface) and the ADSL ROUTER interface in the same subnet and the firewall must be in transparent mode.
Regards
-
thanks on to it now
-
Hey there Mikejh69! I would like to know what happened on your case if the recommended steps did work or not because I really find this interesting and I would like to know as well what are the workarounds on this.
-
ok update
i have reset the unit to factory default
set lan wan and gae way all in the same range as the incoming adsl router with that routers(incoming ) address as the gateway also set wan and lan interface in transparent mode
and yes it now works on the internet .......
all clients on the lan side can access the wan yipeeeeeee
as soon as i enable the ipsec tunnel i lose internet connectivity grr
as i have 2008 server on the lan i an going to pass vpn and remote desktop ports to it and let it authenticate and connect them as I have ran out of time for setting up this l2tp server and tunnel but hey thats my fault not the devices or any on here should have allocated more time to this tssk
-
So much of words
Do you have special requiments to use your ADSL modem as router and DFL as transparent firewall? I think no
Change your modem to bridge, disable transparent mode on DFL
And show what you've configured as screens