Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[markanglin]

I have been trying to configure this device since our DFL-300 quit working. I am trying to set up rules to let people out to Internet and also to allow inbound access to our FTP server, Exchange server and an interior application that runs on port 8080. I have followed several of the hints that people have posted here about setting up an IP Rules port_mapping folder that directs specific traffic to the correct internal IP addresses. I have set up SAT and Allow rules for each service needed in the port_mapping folder.

Do I need to duplicate these rules in the lan_to_wan, wan_to_lan, etc. rules folders? My users can get out to the internet but SMTP traffic is not being forwarded to the correct machine.


Thanks in advance for the help....I am pulling what little hair I have left out....

MarkA

[Fatman]

No, you should only need 1 copy of the rules in place, it doesn't matter what order or folder it is in as long as they are the first rules which would apply to the traffic in question, and the SAT comes before the Allow (or NAT).

Pay careful attention to your services (if you created your own) to ensure they list the source ports as 0-65535.

Have you tried a NAT instead of an Allow for rule #2 (it would hide the real source IP of the traffic but it is a band aid for some problems on the server's side [(which I have seen with exchange servers before])?

Are you testing form inside or outside your network?  Do you need it to work from inside your network?  If so have you changed your source interface to something that includes the LAN?

[markanglin]

So I have almost everything configured. SMTP is working inside and from outside. Have remote desktop working, POP3, VPN and a custom service that runs over port 8080. Everything is forwarding to the correct inside (private IP machine) except for HTTP/HTTPS. We set up an alias to go to our Outlook Web Access so people can just type in http://webmail.companyname.com and it then takes them to https://mail.companyname.com/OWA. The weird thing is that all http/https traffic is being ported to the DFL-210 login screen. I am using a 2 rule setup for all the services. A SAT and then an Allow. For the HTTP and HTTPS traffic, I tried using http-all, http, http-in-all as the service but nothing forwards it to the exchange server.

I am using Source Interface - any, Source network -all nets, Destination interface - core, and the Destination network - wan1_ip. This is similar to what all the other port forwarding services have. I even tried using NAT instead of Allow on the second rule. I then created a custom service that was called webmail that had ports 80 and 443 parameters.

Have any suggestions for changes to the configuration?

MarkA

[markanglin]

After further investigation, I can get to our Outlook Web Access page from outside of the network. I just can't get into the OWA page from the internal network. I need to be able to access the OWA page internally so I can troubleshoot users mail accounts or problems.

[Fatman]

The remote management objects take priority over user rules, so traffic on ports 80 and 443 are being forwarded to the firewall if they are on an interface that is set as allowed for remote management on your firewall.

The solution is to go to System->Remote Management->Advanced Settings and change your HTTP and HTTPS ports that the firewall is going to be managed on.

[markanglin]

Will do. Thanks for the help.

MarkA

[markanglin]

Ok. I am almost set up. I am trying to put a server on the DMZ port. This server is a similar to a web server but I created a new service for it called InfoExchange. I went into the InterfaceAddresses and added IP items for the:

 DMZ_gw - additional Public IP address (different from main IP address that other services are using)
 dmz_ip - internal IP address for the DMZ port  -  192.168.2.1
 dmznet - 192.168.2.0/24

I set up a SAT & Allow rule in the port_mapping section.

Name: InfoExchange_in  action: SAT  source interface: any  source network: all-nets
          Destination interface: dmz  Destination network: DMZ_gw
SAT tab translation to Destination IP - dmz_ip

         InfoExchange_in_allow  action: allow  source interface: any  source network: all-nets
          Destination interface: dmz  Destination network: DMZ_gw

then created a new route on interface dmz, network dmznet, Gateway dmz_ip, metric 100, monitor no

After all this, can't seem to make it out of the box or into the box. Do I need to create rules in the wan to dmz section or maybe dmz to wan / lan?

I am so close I can taste it..... with your help of course....

MarkA

[Fatman]

Change the destination interface in your rules to be Core

Only make the route you listed if you don't already have an interface route for your DMZ network.  If you do have to add that route do not give it a gateway.

You will also need an ARP publish on the WAN interface for the dmz_gw address

You will also want a route on the core interface for network gmz_gw with a metric of 0

If your DMZ is going to need any outbound traffic you are going to want to add a outbound NAT rule with your dmz_gw specified on the NAT tab as the sender address.

[markanglin]

Got them all but the very last thing. I created a NAT rule running the InfoExchange service.

Right now I have source interface - any
                        source network - all-nets
                        destination interface - core??
                        destination network - DMZ_gw??

I did put the DMZ_gw in the NAT tab as the sender address.  I am not sure about the destination interface / network.

MarkA

[Fatman]

You need a total of 3 rules, 2 for inbound traffic and 1 for outbound traffic.

Name: SAT_DMZ_Inbound
Action: SAT
Service: InfoExchange
Schedule:
Source Interface: Any
Source Network: All-Nets
Destination Interface: Core
Destination Network: DMZ_Gateway
SAT Tab->Destination IP Address: Server_IP

Name: Allow_DMZ_Inbound
Action: Allow
Service: InfoExchange
Schedule:
Source Interface: Any
Source Network: All-Nets
Destination Interface: Core
Destination Network: DMZ_Gateway

Name: NAT_DMZ_Outbound
Action: NAT
Service: All-Services
Schedule:
Source Interface: DMZ
Source Network: DMZ_Net
Destination Interface: WAN
Destination Network: All-Nets
NAT Tab -> Sender IP Address: DMZ_GW

[markanglin]

Thanks. I will make those changes and hopefully, I am  in business.

You are a life-saver.