D-Link Forums
The Graveyard - Products No Longer Supported => D-Link NetDefend Firewalls => Topic started by: unnamedplayer on November 02, 2009, 12:11:07 PM
-
Hello all,
This is my situation. I currently have a DFL-800 connecting my network with my ISP. I am going to be switching ISPs and will be using a new IP address. My new ISP is ready to go, I just have to connect the modem to the router.
However, I have an in-house mail server. Our website is hosted by a third party and their name servers have an MX record which points to the IP assigned to me by the ISP I am leaving.
I would like to be able to have a connection to my new ISP so I can use it, but also still continue to have a connection with my old ISP so that I can continue to receive and send mail until I can update the MX records on our hosting partner.
Is a situation like that possible to accomplish?
Thanks!
-
Sure, just plug in the number for your new ISP, ensure your routing table lists it as the first egress route and that your IP rules will accommodate it.
You will also want a second routing table where your old WAN is the primary egress route. You will want a routing rule for traffic destined for your old WAN_IP specifying this new table as the return route.
Then you can transition MX records in eventuality and disable your old WAN completely.
-
Thank you for the reply. I hate to sound dumb, but I am a little confused by all this :-[
In the Routing section of my DFL-800 the only routing table I see listed is main
Are you saying I will need to add two more routing tables? Or do I have to change the routes for wan1 and wan2 in the main routing table.
Thanks for your help!!
-
Change your main table to reflect your new ISP, then add another table (I usually call it drawkcaB, thanks for that telling habit Piers Anthony) where your old ISP is listed first.
Total of 2 routing tables.
Anything else I can clarify?
-
OK, I think I get it. Basically in my main table I will something that looks like this:
| Interface | Network | Gateway |
| wan1 | wan1net | |
| wan2 | all-nets | wan2_default_gw |
| wan2 | wan2net |
| lan | lannet | |
This will get traffic going to all-net (aka the Internet) to go through wan2 (my new ISP) correct?
But you said I should also have a second table for my old ISP (wan1) that would look like this correct?
| Interface | Network | Gateway |
| wan1 | wan1net | |
| wan1 | all-nets | wan1_default_gw |
| wan2 | wan2net |
| lan | lannet | |
Is that right? And then I need to make a new routing rule that says if traffic is going to wan1 the return table is the new alternate table I just created?
Thank you for the help!!
-
I've confirmed that routing table does indeed work. I'm just a little confused with the routing rule. Do I need to make the rule so that everything from the lan interface/network going to the wan1 interface should use my alternate table?
Also, for some reason I cannot receive mail when I made the adjustments to my routing table and had both wan1 and wan2 operating. The log showed incoming connections from wan1 destined for port 25 but they were dropped because of a DEFAULT_ACCESS_RULE.
This makes no sense to me since I have not changed any of my previous rules which had mail coming in fine. The only rules I added were a couple of rules to allow tcp/udp traffic going from lan interface/network to wan2 interface to be allowed.
Any ideas?
Thanks again!!
-
Your routing tables look good, though I would have only written the default route in your second table and had made it of type default.
The routing rule we are looking for looks like this.
Name: drawkcaB
Forward Table: main
Return Table: drawkcaB
Service: all-services
Source Interface: WAN1
Source Network: all-nets
Destination Interface: core
Destination Network: wan1_IP
Default Access Rule means that either...
There is no route for the destination address
or
You are receiving that packet over an interface that is configured for a different network.
In your network the second one is almost certainly the issue, but that is simply because we don't have the routing rule yet.
-
Hmm..well I went ahead and added that rule. I can send mail fine, however, I could not receive mail. Looking at the log I saw entries for the rule that I configured to allow SMTP. It showed a connection from WAN1 to LAN with dest. port 25 but I never received anything.
I did see a new entry in the log that I had not seen before I did this which was another DEFAULT_ACCESS_RULE. Under Src/Dest If it was just listed as wan1 and under Src/Dest IP it just had my Wan1 IP. No source/destination ports. The exact event was: invalid_arp_sender_ip_address
drop
Not sure if this has something to do with it.
Thanks again for all your help Fatman!
-
What type of routing table did you make drawkcaB?
Is your port forward using a NAT or an Allow action for the second rule?
-
Originally it was Only but I changed it to Default after reading your post.
I have 2 rules to let mail come in:
1) SAT - directs smtp-in to my mail server
2) ALLOW - Allows smtp-in from wan1 (all nets) to core (wan1_ip)
-
Does a SAT and a NAT provide connectivity, this will cause the incoming connections to be NAT'ed, but it will answer some crucial questions.
-
Do you mean to add a NAT rule in addition to my two other rules for mail?
I added one for NAT for service smtp-in with Src If wan1 Src net all-nets destined for Dest If core Dest Net wan1_ip
In the log I got:
Rule: LocalUndelivered
Src/Dest If: wan1
Src/Dest Ip: 127.0.0.1/wan1_ip
Src/Dest Port: 5285/25
Event: unhandled_local
drop
-
No, I meant in place of the Allow.
And that log entry is surreal, I don't know how you would go about getting something that far off. Call this one in if you can. I want to see your config reach TS so they can dissect it.