• February 24, 2025, 01:25:55 AM
  • Welcome, Guest
Please login or register.

Login with username, password and session length
Advanced search  

News:

This Forum Beta is ONLY for registered owners of D-Link products in the USA for which we have created boards at this time.

Author Topic: Newbie help routing SSH across networks  (Read 3662 times)

punkyb

  • Level 1 Member
  • *
  • Posts: 2
Newbie help routing SSH across networks
« on: February 28, 2011, 05:45:22 PM »
Hi

Have set up a DFL 2560 within our network in order to learn the interface and I have already failed at the first hurdle!

I have configured remote management SSH on the lan1 interface and can successfully SSH from within the network (192.168.164.0/24) however I would like to also allow SSH access to this interface from a 192.168.239.0/24 network. Currently the Access Filter is Interface: lan1 Network: all-nets

I understand that the firewall will only allow source IPs that belong to networks routed over that interface however I can't work out how to set up the Access Rules / Routing rules to allow this access. The log result of a SSH attempt triggers the Default_access_rule and ruleset_drop_packet action. I think this means that the routing within the firewall is not correct.

I have setup an Address Book object man239 with the address 192.168.239.0/24. I have an IP Rule that allows all_tcp from Source Interface any, network man239 to Dest Interface lan1, network lan1net. I also have a Routing Rule that is basically the same Src Interface any, network man239 to Dest Interface lan1, network lan1net.

Some direction on how to configure this would be greatly appreciated.
Logged

punkyb

  • Level 1 Member
  • *
  • Posts: 2
Re: Newbie help routing SSH across networks
« Reply #1 on: March 01, 2011, 07:43:45 PM »
Hello

For any interested the solution to this problem is thus -

Create object Lan1_gw = 192.168.164.x

Create route on main lan1 all-nets lan1_gw metric 0

Create IP rule lan1_fwd action: forward fast service all_tcpupdicmp (I'll lock this down later)
                                srcInt: lan1   srcNet: lan1net
                               destInt: lan1   dstNet: all-nets

This setup allows ssh/http etc access to the lan1 interface from a different private subnet. For some reason the lan1 is still not responding to ping (even though I can see the traffic using pcapdump). The IP rule has been placed at the top.

This works however I still a bit stumped as to why - the route makes perfect sense but the Ip rule doesn't seem intuitive. Can anyone give an explanation on how this works?

Thanks
Logged