D-Link Forums

The Graveyard - Products No Longer Supported => D-Link NetDefend Firewalls => Topic started by: bubbleman on March 05, 2012, 06:58:17 AM

Title: How to conect two DFL-800 directly?
Post by: bubbleman on March 05, 2012, 06:58:17 AM: Hi,

I have two DFL-800 in the office with different LAN, one in 10.103.6.x and the other one in 10.104.6.x with one connection to internet each one.

The problem is: I would like to connect directly a computer in 10.103.6.x want to connect to a resource in 10.104.6.x LAN, without go trough internet using a vpn or something like that. Maybe its possible create a rule to routing the traffic. I have try some options but something is not working correctly.

Thanks for your help.
;-)
Title: Re: How to conect two DFL-800 directly?
Post by: Galthran on March 06, 2012, 05:13:39 AM: connect a network cable between the two firewalls and just add the route and rules that are necessary to allow the traffic.
Title: Re: How to conect two DFL-800 directly?
Post by: bubbleman on March 06, 2012, 06:20:18 AM: A cable between lan to lan firewall? and which rules I need to add, and gateways? Could you explain me?

Thxs.
Title: Re: How to conect two DFL-800 directly?
Post by: Galthran on March 06, 2012, 10:51:58 AM: Quote from: bubbleman on March 06, 2012, 06:20:18 AM
A cable between lan to lan firewall? and which rules I need to add, and gateways? Could you explain me?

Thxs.

You can connect a cable between the two firewalls using a free interface on each firewall.
Assign a network that you can use for the interfaces ip and for the link network between the firewalls.
Then set up the networks in the routing table on each firewall, pointing each network to be behind the other firewall by setting the gateway field on the route. The gateway will be the ip that you use on the interface for link on the other firewall.

For example if 192.168.50.0 network is used for hte link between the firewalls and firewall B ip is 192.168.50.1 and firewall A ip is 192.168.50.2, the routing table would look something like this:
On firewall A: Route 10.103.6.0/24 Gateway 192.168.50.1
On firewall B: Route 10.104.6.0/24 Gateway 192.168.50.2

Then just add the Allow rules for both directions on each firewall to allow the traffic to be routed between the interfaces on respective firewall...
Title: Re: How to conect two DFL-800 directly?
Post by: bubbleman on March 07, 2012, 12:36:44 AM: Hi, I have tried to do but I guess i have forgotten something.

I have created:

FW1:
Interfaces:
Lan_Fw_to_Fw: 10.120.6.0/24
Gw_to_Fw2: 10.120.6.2

Rules:
Name | Action | Source interface | Source Network | Dest. interface | Dest. Network | Service
all-in Allow lan Lan_Fw_to_Fw lan lannet(10.104.6.0/24) all_tcpudpicmp
all-out Allow lan lannet(10.104.6.0/24) lan Lan_Fw_to_Fw all_tcpudpicmp

Route:
Type | Interface | Network | Gateway | Local IP address | Metric
Route lan Lan_Fw_to_Fw Gw_to_Fw2 0

FW2:
Interfaces:
Lan_Fw_to_Fw: 10.120.6.0/24
Gw_to_Fw1: 10.120.6.1

Rules:
Name | Action | Source interface | Source Network | Dest. interface | Dest. Network | Service
all-in Allow lan Lan_Fw_to_Fw lan lannet(10.103.6.0/24) all_tcpudpicmp
all-out Allow lan lannet(10.103.6.0/24) lan Lan_Fw_to_Fw all_tcpudpicmp

Route:
Type | Interface | Network | Gateway | Local IP address | Metric
Route lan Lan_Fw_to_Fw Gw_to_Fw1 0

Could you check if something is wrong?

Thxs a lot.
Title: Re: How to conect two DFL-800 directly?
Post by: Galthran on March 07, 2012, 04:52:03 AM: Hi,

I dont fully understand your setup with the LAN network, it looks like you have set the LAN interface both for your internal network, and for the link network between the firewalls, it can probably be solved but usually it is a problem for the routing of the traffic, since the hosts on the other subnet gets the traffic from the firewall FW1, and when the host will send the return traffic, they will look into it´s routing table, find the default route and send it to their default gateway, which for them will be FW2.

To avoid this I think if you can find a dedicated interface on each firewall would be the best, like the DMZ interface if it is free.

Regarding your configuration I can see one problem.
Code: [Select]
Rules: Name | Action | Source interface | Source Network | Dest. interface | Dest. Network | Service all-in Allow lan Lan_Fw_to_Fw lan lannet(10.104.6.0/24) all_tcpudpicmp all-out Allow lan lannet(10.104.6.0/24) lan Lan_Fw_to_Fw all_tcpudpicmp
I think should be...

Code: [Select]
Rules: Name | Action | Source interface | Source Network | Dest. interface | Dest. Network | Service all-in Allow lan 10.103.6.0/24 lan lannet(10.104.6.0/24) all_tcpudpicmp all-out Allow lan lannet(10.104.6.0/24) lan 10.103.6.0/24 all_tcpudpicmp
Title: Re: How to conect two DFL-800 directly?
Post by: bubbleman on March 07, 2012, 09:14:36 AM: Hi, I have tried this config with this change, but unfortunately its not working. Something is missing.

About your suggestion, i cannot use DMZ interface, because i'm using for other issues. Then I need to use lan's interfaces.

Someone have any idea??

Thxs.
Title: Re: How to conect two DFL-800 directly?
Post by: danilovav on March 08, 2012, 08:32:54 PM: First of all, you can use VLAN, even you haven't managed L2 switch - DFL will tag VLAN packets

Your configuration with additinal LAN network seems good, but
1) make ARP publish for additinal IP addresses on LAN
2) change route metric from 0 to at least 1
3) add route "core additional_ip 0" to each DFL
Title: Re: How to conect two DFL-800 directly?
Post by: bubbleman on March 09, 2012, 12:55:08 AM: Hi, I don´t know how to do with VLANs.

I have added you additional suggestions, and this is the actual configuration:

FW1:(10.103.6.0/24)
Interfaces:
Lan1: 10.103.6.0/24
Lan2: 10.104.6.0/24
Lan_Fw_to_Fw: 10.120.6.0/24
Gw_to_Fw2: 10.120.6.2

Rules:
Name | Action | Source interface | Source Network | Dest. interface | Dest. Network | Service
all-in Allow lan Lan1(10.103.6.0/24) lan Lan2(10.104.6.0/24) all_tcpudpicmp
all-out Allow lan Lan2(10.104.6.0/24) lan Lan1(10.103.6.0/24) all_tcpudpicmp
all-in NAT lan Lan1(10.103.6.0/24) lan Lan2(10.104.6.0/24) all_tcpudpicmp
all-out NAT lan Lan2(10.104.6.0/24) lan Lan1(10.103.6.0/24) all_tcpudpicmp

Route:
Type | Interface | Network | Gateway | Local IP address | Metric
Route lan Lan_Fw_to_Fw Gw_to_Fw2 1
Route core Lan_Fw_to_Fw Gw_to_Fw2 1

ARP:
Mode Interface IP Adress MAC Adress
Publish lan GW_to_FW2 00-00-00-00-00-00

FW2:(10.104.6.0/24)
Interfaces:
Lan1: 10.104.6.0/24
Lan2: 10.103.6.0/24
Lan_Fw_to_Fw: 10.120.6.0/24
Gw_to_Fw1: 10.120.6.1

Rules:
Name | Action | Source interface | Source Network | Dest. interface | Dest. Network | Service
all-in Allow lan Lan1(10.104.6.0/24) lan Lan2(10.103.6.0/24) all_tcpudpicmp
all-out Allow lan Lan2(10.103.6.0/24) lan Lan1(10.104.6.0/24) all_tcpudpicmp
all-in NAT lan Lan1(10.104.6.0/24) lan Lan2(10.103.6.0/24) all_tcpudpicmp
all-out NAT lan Lan2(10.103.6.0/24) lan Lan1(10.104.6.0/24) all_tcpudpicmp

Route:
Type | Interface | Network | Gateway | Local IP address | Metric
Route lan Lan_Fw_to_Fw Gw_to_Fw1 1
Route core Lan_Fw_to_Fw Gw_to_Fw1 1

ARP:
Mode Interface IP Adress MAC Adress
Publish lan GW_to_FW1 00-00-00-00-00-00

Could you check if is correct??!!

Thxs for your help.
Title: Re: How to conect two DFL-800 directly?
Post by: bubbleman on March 12, 2012, 02:51:18 PM: Hi, I have tried this configuration. But its not working. Someone could check it, and give me a clue.

Thanks.