D-Link Forums
The Graveyard - Products No Longer Supported => D-Link NetDefend Firewalls => Topic started by: tecno13 on August 16, 2009, 11:57:31 PM
-
I should shape the doors for a server asterisk and to open the doors with these configurations:
server in the LAN 192.168.0.250 (as also the telephones are in the LAN)
had handed since 5060 to the 5068
had handed since 8000 to the 8012
had handed since 10000 to the 20000
thanks
-
What I would do is create a series of services for those port ranges, and then I would group those services into a single service group. From there you can apple that service group to a single port forward rule set.
The FAQ for port forwards is below.
http://www.dlink.com/support/faq/?prod_id=2922
You are going to want to make the second rule an allow instead of a NAT.
-
[2009-08-17 18:23:52] FW: RULE: prio=3 id=06000051 rev=1 event=ruleset_drop_packet action=drop rule=Default_Rule recvif=lan srcip=192.168.0.250 destip=192.168.0.1 ipproto=UDP ipdatalen=36 srcport=50370 destport=53 udptotlen=36
192.168.0.250 VOIP Server
192.168.0.1 firewall
-
Use an Allow instead of a NAT on your second IP Rule like I asked.
-
thanks now I try
Can I ask you a further question?
I have necessity to have etc etc some servers in the DMZ with addresses 10.10.10.14 10.10.10.15 every ip it covers etc etc one service of his web mail ftp the scenery it is the following:
wan1 public ip that has gone since 82.150.xx.xx1 to 82.150.xx.xx8 that they correspond the first one to the dns server the second to the web the third one to the mail server the quarter to the ftp server and do they have to aim ip of the dmz to the realativis I have followed the suggestion as bottom but doesn't it work as I can do?
How to open ports - WAN to DMZ
This setup example shows how to open ports for a FTP server on DMZ network. The example uses the following network settings:
Firewall LAN Interface: 192.168.1.1
Firewall DMZ Interface: 172.17.100.254
FTP Server IP Address: 172.17.100.253
FTP Server Subnet Mask: 255.255.255.0
FTP Server Default Gateway: 172.17.100.254
The goal is to get FTP Server accessible via second public IP assigned to WAN interface. In our example the WAN interface has an additional public IP address. The FTP server is connected to the DMZ network.
Step 1. Log into the Firewall by opening Internet Explorer and typing the LAN address of the Firewall. In our example we are using the default 192.168.1.1. Enter Username and Password which you specified during the initial setup of the Firewall.
Note: If you are setting up a WEB server which uses HTTP port 80, it is advisable to change the default management port of your firewall from 80 to something else. You can set it to be accessed via HTTPS only (port 443) https://192.168.1.1. This can be set under System > Remote Management. If you want to leave HTTP management active but change the port to something different for port 80 (e.g. port 88), select 'Modify Advanced Settings' under System > Remote Management.
Step 2. Go to Objects > Address Book > Interface Addresses. Click on Add and select 'IP Address'.
Step 3. Under Name enter 'FTP_Server' and under IP Address specify the IP address of the server on your DMZ network. In our example it is 172.17.100.253.
Click on OK when done.
Step 4. Add another IP Address. This entry is for the additional public IP which will be used to access your FTP server. Under Name enter 'WAN_Public_IP_2' and under IP Address specify the second public IP address.
Click on OK when done.
Step 5. In the menu on the left select Interfaces > ARP Table. Click on Add > ARP Entry. Add new ARP Entry. Under Mode select Publish. Interface - WAN. Under IP Address select the WAN_public_IP_IP_2 created in Step 4.
Click on OK when done.
Step 6. In the menu on the left select IP Rules > WAN to DMZ. Click on Add > IP Rule.
Set a rule 'FTP_map'. Under Action select SAT. Since in our example we are setting up an FTP server, under Service we are selecting 'ftp-inbound'.
Set Source Interface as 'any', Source Network: 'all-nets'. Destination Interface: 'WAN', Destination Network: 'WAN_public_IP_2'.
Step 7. Click on SAT tab on top. Select the Destination IP Address option. Under New IP Address select the 'FTP_Server' option.
Click on OK when done.
Step 8. Create another IP Rule to allow FTP traffic.
Set Name as Allow_FTP. Under Action select Allow. Under Service choose 'FTP-inbound'.
Set Source Interface as 'any', Source Network: 'all-nets'. Destination Interface: 'WAN', Destination Network: 'WAN_public_IP_2'.
Click on OK when done.
Step 9. Save the new configuration. In the top menu bar click on Configuration and select 'Save and Activate'.
Click on OK to confirm the new settings activation.
Wait 15 seconds for the Firewall to apply the new settings.
--------------------------------------------------------------------------------
-
it doesn't work where I am wrong thanks
VOIP-wan1
1 VOIP1-nat NAT Source interface wan1 Source network all-nets Destination interface core Destination network wan1_ip Service gruppo-voip
2 VOIP1-in Allow Source interface wan1 Source network all-nets Destination interface core Destination network wan1_ip Service gruppo-voip
3 VOIP1-in SAT Source interface wan1 Source network all-nets Destination interface core Destination network wan1_ip Service gruppo-voip
SAT Destination IP VOIP SERVER (192.168.0.250) X All-to-One Mapping: rewrite all destination IPs to a single IP
Group service gruppo-voip
it doesn't work where I am wrong thanks
-
Delete the NAT rule and place the SAT rule before the Allow.
As for your other question, you will write all your port forwards just like the first one (but with different destination networks and SAT destinations obviously) if you do the below.
Create an ARP entry for all additional WAN IPs.
Create a route matching the below pattern for all additional WAN IPs
Interface Network Gateway Metric
Core WAN_IP_x - 0
-
do I believe to have resolved thanks to you now however as I do for entering from the lan and to visualize the servers type the pages web and the contained sites in the servers?
-
help me
-
I do not understand what you are asking me.
-
from the lan I cannot see the servers in dmz type the pages http and the services
-
Do you have an IP Rule in place with LAN included in the source interface?
-
I don't believe to have done him/it if you are able it looks that if there are some errors
it excuses my English and very poor
http://www.nsgroup.it/html-page/dfl-800.htm (http://www.nsgroup.it/html-page/dfl-800.htm)
-
That helps a lot.
IP Rules 1/5 and 1/6 conflict, and only 1/5 will be used. Delete ones of them.
IP Rules 3/1 and 3/2 are the ones we are worried about, ensure that the LAN is included in the source interface. This can be done by setting it to any, or by creating an Interface Group that includes both LAN and WAN.
IP Rule folder 4 is a little bit of a mess, it looks like there you got the source interface as "any" correct. You are also using WAN as the destination interface instead of core which I would prefer to see as core (that will only work if your routes are right). Also you have some conflicting port forwards (Rules 4/1-2,4/6-7), as they have the same interface and network masks only the first one will ever take effect. Remove one of them.
It looks like your core routes I asked you to make are in a separate routing table, if that is the case they are not going to take effect (at least not without a cumbersome routing rule). Get them on the main table.
No worries, trust me your English is better than my Italian!
-
she is a great you excuse me some trouble you look if now it is ok I have modified the charts
if some other error exists you don't hesitate to tell me him I am very hard
http://www.nsgroup.it/html-page/dfl-800.htm (http://www.nsgroup.it/html-page/dfl-800.htm)
-
Change the source interface on your Voip_WAN1 rules to any.
Your WAN1_Server rules are all gone so I can only assume you have consolidated, that said you will need wither an Allow or a NAT that matches the SAT rule there.
-
ok it is able her to give a look to my logs I don't succeed in sailing in the dmz from the lan and the voip it doesn't work
192.168.0.250 Voip server in the lan net
192.168.0.1 DFL-800
08-21-2009 10:31:16 Local0.Warning 192.168.0.1 [2009-08-21 10:31:18] FW: RULE: prio=3 id=06000051 rev=1 event=ruleset_drop_packet action=drop rule=Default_Rule recvif=lan srcip=192.168.0.250 destip=192.168.0.1 ipproto=UDP ipdatalen=58 srcport=41890 destport=53 udptotlen=58
10.10.10.30 Server Wen in the DMZ
10.10.10.254 DMZ IP DFL-800
08-21-2009 10:34:34 Local0.Warning 192.168.0.1 [2009-08-21 10:34:36] FW: ARP: prio=3 id=00300049 rev=1 event=invalid_arp_sender_ip_address action=drop rule=Default_Access_Rule recvif=dmz hwsender=00-d0-b7-72-6c-03 hwdest=ff-ff-ff-ff-ff-ff arp=request srcenet=00-d0-b7-72-6c-03 srcip=10.10.10.30 destenet=00-00-00-00-00-00 destip=10.10.10.254
83.xxx.xxx.xxx is the my ip in the net WAN1-IP-extra-2
08-21-2009 10:45:33 Local0.Warning 192.168.0.1 [2009-08-21 10:45:35] FW: RULE: prio=3 id=06000051 rev=1 event=ruleset_drop_packet action=drop rule=Default_Rule recvif=wan1 srcip=78.174.214.36 destip=83.xxx.xxx.xxx ipproto=TCP ipdatalen=24 srcport=1499 destport=25 tcphdrlen=24 syn=1
-
I believe to have resolved in the Routing Tables Main it missed the dmz with the dmz-net thanks you are a great
thing thinks of it of these logs where 10.10.10.30 and the server in the dmz and 10.10.10.254 and the address of the dmz net dfl-800
(http://www.monsterup.com/upload/1250861149741.gif) (http://www.monsterup.com)
an easy question as I do for having the qos for the VOIP-SERVER so that the sip is priority on everything?
thank you Fatman