Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[Donki]

Hello there. I hope will find right answers about my situation (scenario) and have good experience with DLF-800 Firewall...

This is my scenario:

ISP's=2
ISP1=wan1/ppoe
ISP2=wan2/ppoe
DFL-800= 10.10.10.5 (firmware 2.26)
DHCP Clients: 10.10.10.100-200
Servers: 10.10.10.5-19

What I need to configure:
1. Forward services from wan2 (HTTP, HTTPS, POP3, SMTP, IMAP) to mail server 10.10.10.15
2. Forward services from wan2 (Microsoft VPN, RDP) to windows server 10.10.10.16
3. All outgoing traffic from servers (10.10.10.11-10.10.10.19) to go only via ISP2 (wan2)
4. All desktops (10.10.10.100-10.10.10.200) to have NAT to internet (not filtered, full access to all services/ports) only via ISP1 (wan1)

If you help me with those 5 rules/actions, you'll make my day!
Hope with those rules, I will understand other actions with similar nature...

Write me what I need to do, if firewall is factory reset on defaults...


Cheers to all!

btw. I tried self to do this, i connect two wan interfaces, make several rules, and result was mail server services were working, vpn doesn't work, and mail server doesn't go to internet via wan2, everything was on wan1... i give it up now

[danilovav]

I think, it's not working because working of both WANs should be setted especially (below). So...

0. Hope, you will change lan_ip by yourself

1. Objects > Address book > LocalNetwork
Add objects
lan_mail_server = 10.10.10.15
lan_win_server = 10.10.10.16
lan_servers = 10.10.10.11-10.10.10.19
lan_clients = 10.10.10.100-10.10.10.200 # it will be used for DHCP pool

2. System > DHCP servers
Add new DHCP server, use lan_clients as pool, set lan_ip as default gw, your Win server as DNS (i think, you have AD there?)

3. Interfaces > PPPoE
Add your ISP connections. For example, let it be named wan1_pppoe and wan2_pppoe
For wan1, keep "Add route" checkbox, for wan2, deselect it
[Q] This example is static by interfaces. Do you need a favorier? I mean, when wan1 is down, lan clients can go thru wan2 and same for servers.

4. Objects > Address book > IntrefaceAddresses
Add new IP4 group wans_ips = wan1_pppoe_ip + wan2_pppoe_ip

5. Interface > Interface groups
Add group named wans = wan1_pppoe + wan2_pppoe
It will be used for simular wans rules (ex, external ping)

6. Interfaces > Ethernet
Disable DHCP for wans
[Q] If you don't need to access physical wans, unselect checkboxes "add route" in wan1/2 settings
If you need it, let me know addresses later

7. Routing > Routing tables
Add new routing table alt_wan1_pppoe
Add into one route - network: all-nets, interface: wan1_pppoe, metric: 100
Do the same for wan2 (routing table name alt_wan2, route to wan2)

8. Routing > Routing rules
# process requests from wan1_pppoe
wan1_pppoe/all-nets any/all-nets, forward main, return alt_wan1_pppoe
# process requests from wan2_pppoe
wan2_pppoe/all-nets any/all-nets, forward main, return alt_wan2_pppoe
# change outgoing interface for servers
lan/lan_servers wans/all-nets, forward alt_wan2, return main

9. Objects > Services
Add new group allowed_mail_server = http, https, pop3, smtp, imap
Add new group allowed_win_server = pptp-suite, rdp

10. Rules > IP rules
# allow external ping
Allow wans/all-nets core/wans_ips ping-inbound
# rules for publishing mail server
SAT wan2/all-nets core/wan2_ip allowed_mail_server (SAT: new destination = lan_mail_server)
NAT wan2/all-nets core/wan2_ip allowed_mail_server
# rules for publishing win server
SAT wan2/all-nets core/wan2_ip allowed_win_server (SAT: new destination = lan_win_server)
NAT wan2/all-nets core/wan2_ip allowed_win_server

11. Rules > IP rules > lan_to_wan1
Change destination interface wan1 to wans
Change allow_startard rule - service all_services instead of all_tcpudp

As result, it will work by your requirements, but without additional flexibility (i mean favorier).
Dividing of wan (wan2 - for servers, wan1 - for clients) is performed by PBR and it allow you to have simular IP rules

Please answer my questions and i'll let you know what to change.

[Donki]

@daniilovav thanks for your reply, i was on vacation, and today I read your reply... I'm sending this to say THANK you for big support, and I will send again new post to confirm that everything works fine here. Thanks dude!

[Donki]

@danilovav i have additional question, sorry...

In step no.7 when adding routes, i have to choose "gateway" and "local ip address", what should I use? wan1_ppoe_ip or leave it blank?

And what you think when you wrote that this is not very flexibility configuration? I made all this steps, but didn't put DFL800 in action yet, I will try to make several test today, after working time... And I hope everything will work smooth Thank you again dude!

[danilovav]

In case of PPPoE, leave gw field blank. And in any normal cases, leave "local IP" blank too.

By additional flexibility i mean you can make more extended favorier - for example, use wan2 for clients in case of wan1 fault.

[Donki]

Yes I like to do that, to use wan2 in case of wan1 fault If its not problem, write me what to do?