D-Link Forums
The Graveyard - Products No Longer Supported => D-Link NetDefend Firewalls => Topic started by: lira3122 on August 21, 2009, 10:48:48 AM
-
I have a webserver inside our firewall which is working fine. The outside world can see the pages just fine. The problem now is the internal network cannot get to any of those pages. When I look at the log for the dfl-210 I see
2009-08-21
12:40:29 Warning RULE
6000051 IfaceIPCollision TCP wan
xx.xxx.xx.226 46514 (NAT address)
xx.xxx.xx.228 80 (webserver IP address)
ruleset_drop_packet
drop
ipdatalen=32 tcphdrlen=32 syn=1
What rule do i have put in to allow our internal network to see the websites.
Fast help on this would be greatly appreciated.
Thank you in advance.
-
Ensure that the LAN interface is included in the source interface for your IP rules.
That aid I have not seen IfaceIPCollision before for this issue, so I would look into that long and hard.
-
We have the same issue. Hosted websites are visible from outside but not on the inside. We can access the internet from the inside but not the webservers behind the wan port.
lan-to-wan - ip rule #1
Action=SAT
SourceInterface=any
SourceNetwork=workstation lan ip address
DestInterface=any
DestNetwork=all-nets
Service=http-all
SAT tab
Translate Source IP=flagged
New IP=workstation wan ip address
lan-to-wan - ip rule #2
Action=Allow
SourceInterface=any
SourceNetwork=workstation lan ip address
DestInterface=any
DestNetwork=all-nets
Service=http-all
wan-to-lan - ip rule #1
Action=SAT
SourceInterface=any
SourceNetwork=all-nets
DestInterface=any
DestNetwork=server wan ip address
Service=http-all
SAT tab
Translate Destination IP=flagged
New IP=server lan ip address
wan-to-lan - ip rule #2
Action=Allow
SourceInterface=any
SourceNetwork=all-nets
DestInterface=any
DestNetwork=server wan ip address
Service=http-all
We've looked at the documentation and tried many different combinations, but we still don't get it. The websites are found using DNS host headers (xxx.yyyy.com) rather than static IP addresses. The best we've been able to do is successfully get to the correct ip via DNS but the connection fails when it is opened.
Log message:
2009-09-09 00:45:41
Error
CONN 600001
Allow_LanUser_ip8 (lan-to-wan - ip rule #2 above)
TCP
lan "workstation lan ip address" 1599
wan "server wan ip address" 80
conn_open
satsrcrule=SAT_LanUser_ip8 (lan-to-wan - ip rule #1 above)
conn=open
Once we get this working, we'll need to replicate the rules for another two servers and three workstations.
Many thanks in advance...
-
Those first 2 rules are unnesccesarry and flawed, remove them.
Then respond if you are still having issues.
-
Thanks for responding. We removed the offendinig rules and still are unable to connect to our webservers from inside the lan.
Is there a FAQ on this topic - we found the one about rdp very helpful earlier.
If a FAQ is not available, do you have a recommendation on how to troubleshoot this issue?
Thanks again.
-
We don't have any specific documentation. It would be best to have someone who knows this product down to the nuts and bolts take a look.
Have you tried a NAT instead of an Allow for your second rule at any point?
-
We have the same issue, helpdesk was unable to resolve our problem...
From outside our network we are able to access our internal servers, from within the network we are unable to establish connection receiving the error message "IfaceIPCollision" in the status log.
We have several lan-to-wan rules, however included in those rules are:
nat all services lan-> any interface
all nets -> all nets destination
allow all services lan-> any interface
lan -> all nets destination
Between those two I'm not sure why any requests from the lan would get shut down?
-
What do you mean by "the same issue"?
As i see, you have only LAN -> WAN rules, and it's not fully correct
1. Change NAT rule to lan/lannet wan/all-nets (don't use any in IP rules)
2. Remove Allow rule, it's useless
-
Same issue as OP. I can connect to my servers from outside of our network without a problem. If I try to connect to the same servers external IP from within my network, the router kill the connection, showing that error message IfaceIPCollision.
I've tried a number of different rules just to see if I could get it to work. The allow services rule may not be doing anything but it wasn't causing this problem...
The nat rule it doesn't make a difference if you have it set to wan or any for the interface. I removed the allow rule, and change the NAT rule to:
allow_standard NAT All_Lan internal_lans wan all-nets all_services
tia
-
Make NAT loopback additionaly for your SAT+Allow (destination NAT) rules
SAT lan/lannet core/wan_ip yourpublicservice (SAT: New destination = yourprivatehost)
NAT lan/lannet core/wan_ip yourpublicservice
Usually, i am making common rules for all (external and internal) interfaces like below
1. Interfaces > Interface groups
Add group wan_lan = all wan and lan interfaces (ex. wan + lan)
2. Objects > Services
Add service group (ex., allowed_server) with all allowed services for publication
3. Make rules
SAT wan_lan/all-nets core/wan_ip allowed_server (SAT: New destination = yourprivatehost, All-to-One Mapping: rewrite all destination IPs to a single IP)
Allow wan/all-nets core/wan_ip allowed_server
NAT lan/lannet core/wan_ip allowed_server
By this way, you will need just 3 rules for any wan interface and public services count
-
We're still getting that same error message, the way I had the rule set up previously was for any/all instead of having a group/objects for lan/wan/etc...
-
NAT+Allow for lan/lannet->core/wan_ip is not correct. Should be SAT+NAT for this direction.
-
After working with tech support, the way we were able to get the loopback working was by creating a route from the public IP to the core then setting the SAT and NAT rules destination interface to the core.
Routing
-Routing Tables
-main
Add route:
Type Interface Network
Route core Public_IP of server
Then for the rules:
Action Source interface Source network Destination interface Destination network Service
SAT any all-nets core Public_IP of server desired_service
NAT any all-nets core Public_IP of server desired_service
Only thing now is we cant connect to the public IP of the server from a client on the VLAN network, all though everything from the lannet works great :P
*Edit - by changing the allow to NAT we were able to get the VLAN network to work as well!