• February 24, 2025, 07:05:41 AM
  • Welcome, Guest
Please login or register.

Login with username, password and session length
Advanced search  

News:

This Forum Beta is ONLY for registered owners of D-Link products in the USA for which we have created boards at this time.

Author Topic: LAN firewall for DFL 210  (Read 5252 times)

gcgiuser

  • Level 1 Member
  • *
  • Posts: 4
LAN firewall for DFL 210
« on: September 13, 2010, 01:51:39 AM »
Hello,

My scenario is to protect one pc server which contains online operational data running on CITECT software from all the other computers in the LAN. Traffic is inbound and outbound. Do I connect the server to one of the LAN ports and then another LAN port to the network switch? Or do I use WAN or DMZ? Another problem is that our LAN has different subnets/segments:  one using 192.168.0.xxx/24, another using 172.24.xxx.xxx/16 (under domain server)  and another using 165.158.157.xxx/24.  How do I configure these? Just please give general idea on how to do this as I have been reading the manual but can't seem to hit the jackpot under this circumstance. Any help would be greatly appreciated.

Logged

danilovav

  • Level 4 Member
  • ****
  • Posts: 424
  • Alexandr Danilov
Re: LAN firewall for DFL 210
« Reply #1 on: September 13, 2010, 08:02:27 PM »
To protect your server with CITECT you can move it into DMZ with transparent mode to LAN (if you need to get it address from one of LAN subnets).

Additional LAN subnets can be added by
1) Objects > Address book > InterfaceAddresses
Add
lan_172_ip=172.24.0.1
lan_172_net=172.24.0.0/16
2) Interfaces > ARP
Add ARP publish of lan_172_ip to LAN
3) Routing > Routing tables > main
Add routes (interface, network, metric)
core lan_172_ip 0
lan lan_172_net 100 (metric same as for lan/lannet)
4) Make sufficient IP rules, like
Allow lan/lannet lan/lan_172_net all_services
Allow lan/lan_172_net lan/lannet all_services
Logged
BR, Alexandr Danilov

gcgiuser

  • Level 1 Member
  • *
  • Posts: 4
Re: LAN firewall for DFL 210
« Reply #2 on: September 14, 2010, 01:57:50 AM »
Hi Mr. Danilov, thanks for the immediate reply.

When you say move server to DMZ with transparent mode to LAN, do you mean just check the Enable transparent mode box when configuring the DMZ interface? and do i need to have the same subnet for my server and the dmz? my current server ip is 165.158.157.12 while my dmz_ip is 165.178.0.1, dmznet is 165.178.0.0/24.  When setting IP rules is the allow rule sufficient in my LAN with server at DMZ? Thanks again and more power!


Logged

danilovav

  • Level 4 Member
  • ****
  • Posts: 424
  • Alexandr Danilov
Re: LAN firewall for DFL 210
« Reply #3 on: September 14, 2010, 11:19:21 AM »
Do you need dmznet 165.178.0.0/24 ? Can you replace it by lannet ?
Transparent mode - yes, i mean enablink of checkboxes. Also, you need to set similar nets and ips of lan and dmz and make allow rules.
Logged
BR, Alexandr Danilov

gcgiuser

  • Level 1 Member
  • *
  • Posts: 4
Re: LAN firewall for DFL 210
« Reply #4 on: September 26, 2010, 11:19:51 PM »
Hi Mr. Danilov,

The reason I assigned a separate subnet for my server and likewise dmznet where I connect my server from all the other subnet in the lan - is to protect my server. Here are my settings:

dmz_ip  165.158.157.4
dmznet  165.158.157.0/24
server ip  165.158.157.12

lan_ip  192.168.0.170
lannet  192.168.0.0/16

lan_172_ip   172.24.25.170
lan_172_net  172.24.0.0/16

I enable transparent mode at dmz interface setting as you have said.
Added  ARP publish of lan_172_ip to lan, routed lan_172_ip then made sufficient rules such as lan/lannet  lan/lan_172_net all_services and vice versa.  I made my dfl ips as gateway of other computers in the lan.

Problem:  the server could not ping some computers, and all computers could not ping dmz_ip.

Please help.
« Last Edit: September 26, 2010, 11:24:27 PM by gcgiuser »
Logged