Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[bubbleman]

Hi,

I have two DFL-800 in the office with different LAN, one in 10.103.6.x and the other one in 10.104.6.x with one connection to internet each one.

The problem is: I would like to connect directly a computer in 10.103.6.x want to connect to a resource in 10.104.6.x LAN, without go trough internet using a vpn or something like that. Maybe its possible create a rule to routing the traffic. I have try some options but something is not working correctly.

Thanks for your help.
;-)

[Galthran]

connect a network cable between the two firewalls and just add the route and rules that are necessary to allow the traffic.

[bubbleman]

A cable between lan to lan firewall? and which rules I need to add, and gateways? Could you explain me?

Thxs.

[Galthran]

A cable between lan to lan firewall? and which rules I need to add, and gateways? Could you explain me?

Thxs.

You can connect a cable between the two firewalls using a free interface on each firewall.
Assign a network that you can use for the interfaces ip and for the link network between the firewalls.
Then set up the networks in the routing table on each firewall, pointing each network to be behind the other firewall by setting the gateway field on the route. The gateway will be the ip that you use on the interface for link on the other firewall.

For example if 192.168.50.0 network is used for hte link between the firewalls and firewall B ip is 192.168.50.1 and firewall A ip is 192.168.50.2, the routing table would look something like this:
On firewall A: Route 10.103.6.0/24 Gateway 192.168.50.1
On firewall B: Route 10.104.6.0/24 Gateway 192.168.50.2

Then just add the Allow rules for both directions on each firewall to allow the traffic to be routed between the interfaces on respective firewall...

[bubbleman]

Hi, I have tried to do but I guess i have forgotten something.

I have created:

FW1:
Interfaces:
Lan_Fw_to_Fw: 10.120.6.0/24
Gw_to_Fw2: 10.120.6.2

Rules:
Name | Action | Source interface | Source Network     | Dest. interface | Dest. Network          | Service
all-in     Allow     lan                      Lan_Fw_to_Fw         lan              lannet(10.104.6.0/24) all_tcpudpicmp
all-out   Allow     lan                   lannet(10.104.6.0/24)   lan             Lan_Fw_to_Fw          all_tcpudpicmp

Route:
Type   |  Interface  |  Network            |  Gateway         | Local IP address | Metric
Route     lan              Lan_Fw_to_Fw       Gw_to_Fw2                                 0


FW2:
Interfaces:
Lan_Fw_to_Fw: 10.120.6.0/24
Gw_to_Fw1: 10.120.6.1

Rules:
Name | Action | Source interface | Source Network     | Dest. interface | Dest. Network        |     Service
all-in     Allow     lan                      Lan_Fw_to_Fw           lan            lannet(10.103.6.0/24) all_tcpudpicmp
all-out   Allow     lan                     lannet(10.103.6.0/24)   lan              Lan_Fw_to_Fw       all_tcpudpicmp

Route:
Type   |  Interface  |  Network            |  Gateway         | Local IP address | Metric
Route     lan              Lan_Fw_to_Fw       Gw_to_Fw1                                 0
 

Could you check if something is wrong?

Thxs a lot.

[Galthran]

Hi,

I dont fully understand your setup with the LAN network, it looks like you have set the LAN interface both for your internal network, and for the link network between the firewalls, it can probably be solved but usually it is a problem for the routing of the traffic, since the hosts on the other subnet gets the traffic from the firewall FW1, and when the host will send the return traffic, they will look into itīs routing table, find the default route and send it to their default gateway, which for them will be FW2.

To avoid this I think if you can find a dedicated interface on each firewall would be the best, like the DMZ interface if it is free.

Regarding your configuration I can see one problem.

Code: [Select]

Rules:
Name | Action | Source interface | Source Network     | Dest. interface | Dest. Network          | Service
all-in     Allow     lan                      Lan_Fw_to_Fw         lan              lannet(10.104.6.0/24) all_tcpudpicmp
all-out   Allow     lan                   lannet(10.104.6.0/24)   lan             Lan_Fw_to_Fw          all_tcpudpicmp

I think should be...

Code: [Select]

Rules:
Name | Action | Source interface | Source Network     | Dest. interface | Dest. Network          | Service
all-in     Allow     lan                      10.103.6.0/24         lan              lannet(10.104.6.0/24) all_tcpudpicmp
all-out   Allow     lan                   lannet(10.104.6.0/24)   lan             10.103.6.0/24          all_tcpudpicmp


[bubbleman]

Hi, I have tried this config with this change, but unfortunately its not working. Something is missing.

About your suggestion, i cannot use DMZ interface, because i'm using for other issues. Then I need to use lan's interfaces.

Someone have any idea??

Thxs.

[danilovav]

First of all, you can use VLAN, even you haven't managed L2 switch - DFL will tag VLAN packets

Your configuration with additinal LAN network seems good, but
1) make ARP publish for additinal IP addresses on LAN
2) change route metric from 0 to at least 1
3) add route "core additional_ip 0" to each DFL

[bubbleman]

Hi, I donīt know how to do with VLANs.

I have added you additional suggestions, and this is the actual configuration:

FW1:(10.103.6.0/24)
Interfaces:
Lan1: 10.103.6.0/24
Lan2: 10.104.6.0/24
Lan_Fw_to_Fw: 10.120.6.0/24
Gw_to_Fw2: 10.120.6.2

Rules:
Name | Action | Source interface | Source Network     | Dest. interface | Dest. Network          | Service
all-in     Allow     lan                   Lan1(10.103.6.0/24)     lan              Lan2(10.104.6.0/24) all_tcpudpicmp
all-out   Allow     lan                   Lan2(10.104.6.0/24)     lan              Lan1(10.103.6.0/24) all_tcpudpicmp
all-in     NAT     lan                     Lan1(10.103.6.0/24)     lan              Lan2(10.104.6.0/24) all_tcpudpicmp
all-out   NAT     lan                     Lan2(10.104.6.0/24)     lan              Lan1(10.103.6.0/24) all_tcpudpicmp

Route:
Type   |  Interface  |  Network            |  Gateway         | Local IP address | Metric
Route     lan              Lan_Fw_to_Fw       Gw_to_Fw2                                 1
Route     core            Lan_Fw_to_Fw       Gw_to_Fw2                                 1

ARP:
Mode      Interface    IP Adress         MAC Adress
Publish    lan            GW_to_FW2      00-00-00-00-00-00


FW2:(10.104.6.0/24)
Interfaces:
Lan1: 10.104.6.0/24
Lan2: 10.103.6.0/24
Lan_Fw_to_Fw: 10.120.6.0/24
Gw_to_Fw1: 10.120.6.1

Rules:
Name | Action | Source interface | Source Network     | Dest. interface | Dest. Network          | Service
all-in     Allow     lan                   Lan1(10.104.6.0/24)     lan              Lan2(10.103.6.0/24) all_tcpudpicmp
all-out   Allow     lan                   Lan2(10.103.6.0/24)     lan              Lan1(10.104.6.0/24) all_tcpudpicmp
all-in     NAT     lan                     Lan1(10.104.6.0/24)     lan              Lan2(10.103.6.0/24) all_tcpudpicmp
all-out   NAT     lan                     Lan2(10.103.6.0/24)     lan              Lan1(10.104.6.0/24) all_tcpudpicmp

Route:
Type   |  Interface  |  Network            |  Gateway         | Local IP address | Metric
Route     lan              Lan_Fw_to_Fw       Gw_to_Fw1                                 1
Route     core            Lan_Fw_to_Fw       Gw_to_Fw1                                 1

ARP:
Mode      Interface    IP Adress         MAC Adress
Publish    lan            GW_to_FW1      00-00-00-00-00-00


Could you check if is correct??!!

Thxs for your help.

[bubbleman]

Hi, I have tried this configuration. But its not working. Someone could check it, and give me a clue.


Thanks.