|
Title: 2.3: Need help: WebServer in DMZ, Understanding DNAT/SNAT/Inco Post by: Timo on Wednesday 23 December 2009, 02:53:00 am Hello Everyone,
we're trying to use efw as our new firewallsystem. Maybe the meaning of some items are quite different from what we think of... efw 2.3 Enterprise demo server with 4 Nics - green -> 192.168.3.2 - orange -> 192.168.1.2 - red -> xx.yy.zz.2 (Public IP) - (hot standby->2nd efw lifebeat) (web-)server4 -nic1 -> 192.168.3.4 (green) -nic2 -> 192.168.1.4 (orange) (web-)server5 -nic1 -> 192.168.3.5 (green) -nic2 -> 192.168.1.5 (orange) and so on.. The Servers must be accessible from the web via public IPs (orange). the green net handles Administration, Backup, remote maintenance and so on. we have a range of 30 public IPs. Wishing to configure this like: Public IP xx.yy.zz.4 -> efw -> orange: 192.168.1.4 In an optimal way i put a new server in DMZ with e.g. 192.168.1.10 and this webserver is automatically accessible from outside over the public ip xx.yy.zz.10 - and for all the webservers in the DMZ we have some few general filters (because the webservers are all identical). My Problem ist to understand the meaning of Destination Nat, Source Nat and Incoming routed Traffic. What i have tried: (disable all SNAT and Incoming r Traffic rules) Destination NAT: Source: RED, Target: ORANGE, Allow, all/all, and then all of the possibilities of "translate to:" map network: 192.168.1.0/27 and tried ip-> NAT, No Nat.. ->>no connect from the web to one of the Servers at Orange possible. Next try: (disable all DNAT/Incoming r Traffic rules) Source Nat Source xx.yy.zz.0/27 (the range of our public IPs) Target 192.168.1.0/27 Service/Port: all/TCP+UDP NAT: try1 - NAT->Auto try2 - No Nat try3 - Map Network to: 192.168.1.0/27 ->>whatever, no connect from the web to one of the Servers at Orange possible. another try: (disable all SNAT and DNAT rules) Incoming routed Traffic Source: RED, Target ORANGE Service/Port All/TCP+UDP ->>no connect from the web to one of the Servers at Orange possible. All attempts were in vain and the problem is, i've got no idea how to get it up. Maybe PEBKAC :-) My approach or understanding of the efw maybe quite different from that of the efw-programmers. If there is anybody with a similar situation some tipps are greatly appreciated! TIA Timo Title: Re: 2.3: Need help: WebServer in DMZ, Understanding DNAT/SNAT/Inco Post by: bodie on Monday 08 March 2010, 08:29:56 am I've setup all the public IP's on the servers in the orange and thusly redirected trafic. Made my life a lot easier.
this is what i done. EFW orange setup with external IP under firewall / Incoming routed traffic - create forwarding rule as follows Source is - Uplink (red) Destination - External IP address withing the orange etc hope this helps |