D-Link Forums

The Graveyard - Products No Longer Supported => D-Link NetDefend Firewalls => Topic started by: ppcm on September 08, 2009, 03:14:04 AM

Title: [SOLVED] DFL-800 & WAN2
Post by: ppcm on September 08, 2009, 03:14:04 AM

Hello,

We have a DFL-800 with configured for incoming traffic on WAN1-->DMZ. It works fine...
Now we have another ISP, and we would to configure it on WAN2-->DMZ.

We applied the same configuration (except for IP addresses of course  8)) on WAN2 as WAN1, and it doesn't work.
The simple test is a PING on WAN2 interface:
- On WAN2 network, the ping is OK
- On LAN and DMZ networks, the ping fails
I am sure that the IP Rule is usefull, because when we discard it, the ping fails for all networks.

Another test was made: we configure WAN2 with static route, and this time the WAN1 interface fails to respond, but WAN2 respond correctly.

Is it a way to configure WAN1 and WAN2 to respond simultaneously and redirect traffic on DMZ network?

Thanks for your help

Regards

Title: Re: DFL-800 & WAN2
Post by: Fatman on September 08, 2009, 08:46:48 AM

The fact that your IP rules are effective if you place a lower metric route for WAN2 indicates that your IP Rules are correct.  What you need is a routing table (it only need contain the default routes) where WAN2 comes first, then you need to write a routing rule like the below rule.

Forward Table: Main
Reverse Table: drawkcaB
Service: All-Services
Source Interface: WAN2
Source Network: All-Nets
Destination Interface: Core
Destination Network: WAN2_IP

Title: Re: DFL-800 & WAN2
Post by: ppcm on September 09, 2009, 09:28:46 AM

Thanks a lot for your quite and pertinent answer.

Now it works fine for the core, wan1_ip and wan2_ip respond correctly.
I have no problem for Wan1net, I can map IP addresses to DMZ correctly, but when I do the same thing for Wan2net, it doesn't work. Did I need to add a need Routing rule?

In logs, I have:

Code: [Select]

2009-09-09  Warning  RULE                                      xxx.xxx.xxx.xxx  ruleset_drop_packet
18:22:25             6000051  Default_Access_Rule  ICMP  wan2  yyy.yyy.yyy.yyy  drop
Where xxx.xxx.xxx.xxx is the remote server and yyy.yyy.yyy.yyy is an address in wan2lan

Thanks for your help

Title: Re: DFL-800 & WAN2
Post by: Fatman on September 09, 2009, 09:34:41 AM

I would take a careful look at your IP Rules, I suspect something is awry there, check for any place where they are not symmetrical to how you wrote your WAN1 rules.

Title: Re: DFL-800 & WAN2
Post by: ppcm on September 10, 2009, 12:56:11 AM

I looked carefully to my IP Rules, and everything seem symmetric. You can found all IP rules

(http://www.pintaric.net/dfl-800/IP_Rules/IPRules-1.png)
(http://www.pintaric.net/dfl-800/IP_Rules/IPRules-2.png)
(http://www.pintaric.net/dfl-800/IP_Rules/IPRules-3.png)
(http://www.pintaric.net/dfl-800/IP_Rules/IPRules-4.png)
(http://www.pintaric.net/dfl-800/IP_Rules/IPRules-5.png)
(http://www.pintaric.net/dfl-800/IP_Rules/IPRules-6.png)
(http://www.pintaric.net/dfl-800/IP_Rules/IPRules-7.png)

Thanks for your help

Title: Re: DFL-800 & WAN2
Post by: Fatman on September 10, 2009, 08:55:35 AM

Ok for starters if I was you I would create the following objects.

An Interface Group named Internal which contains the LAN and DMZ interfaces.
An IP Address Group names Internal_Nets which contains the LAN_Net and DMZ_Net objects.
An IP Address Group names Internal_IPs which contains the LAN_IP and DMZ_IP objects.
An Interface Group named External which contains the WAN1 and WAN2 interfaces.
An IP Address Group names External_Nets which contains the WAN1_Net and WAN2_Net objects.
An IP Address Group names External_IPs which contains the WAN1_IP and WAN2_IP objects.

Then replace all of your outbound rules with a single set that has the following template.

Source Interface: Internal
Source Network: Internal_Nets
Destination Interface: External
Destination  Network: External_Nets

That will clean up the clutter so that next time someone has to go through these rules it will be a little quicker.

We are also going to have to look at some SAT tab settings for your SAT rules as well as your logs and your routing tables.  Maybe it would just be easier to PM me asking me to take a look and I will give you my e-mail so you can just send me the config.  I will post the results in this thread so everyone can benefit though.

Title: Re: DFL-800 & WAN2
Post by: Fatman on September 14, 2009, 10:34:36 AM

It looks like we had some routing issues with our WAN2 interface, as well as our secondary routing table.  I am having ppcm make some changes and then we are going to review where we stand.

Title: [SOLVED] Re: DFL-800 & WAN2
Post by: ppcm on September 16, 2009, 05:07:48 AM

I finally resolved the problem.
I purged the secondary routing table, and add only one rule:

Code: [Select]

Route       wan2       all-nets       wan1_gw             100      No
And in Routing rules, I kept the rule you suggest and I add one other:

Code: [Select]

1    WAN2-core    wan2       all-nets       core       wan2net       all_services      
2    WAN2-all     wan2       all-nets       wan2       wan2net       all_services
And now it works fine

Thanks a lot for your help

Title: Re: [SOLVED] DFL-800 & WAN2
Post by: Fatman on September 16, 2009, 08:15:29 AM

Now I don't want to look a gift mouth in the horse here, but that WAN2-Core rule you have is a bad idea, it opens the firewall itself up to anybody who directs traffic to your WAN2_IP.  I can't see it being necessary for your scenario, does it work if you disable that rule?

Title: Re: [SOLVED] DFL-800 & WAN2
Post by: ppcm on September 16, 2009, 10:50:49 AM

If I dsable this rule, I can't access to the dmz network anymore...
I blocked all traffic to the router with IP Rules for WAN 1 and WAN 2 interfaces...