beautypg.com

D-Link DFL-2500 User Manual

Page 218

background image

#

Action

Src Iface

Src Net

Dest Iface

Dest Net

Parameters

5

NAT

lan

lannet

any

all-nets

All

What happens now?

External traffic to wan_ip:80 will match rules 1 and 3, and will be sent to wwwsrv. Correct.

Return traffic from wwwsrv:80 will match rules 2 and 4, and will appear to be sent from
wan_ip:80. Correct.

Internal traffic to wan_ip:80 will match rules 1 and 3, and will be sent to wwwsrv. Almost
correct; the packets will arrive at wwwsrv, but:

Return traffic from wwwsrv:80 to internal machines will be sent directly to the machines
themselves. This will not work, as the packets will be interpreted as coming from the wrong
address.

We will now try moving the NAT rule between the SAT and FwdFast rules:

#

Action

Src Iface

Src Net

Dest Iface

Dest Net

Parameters

1

SAT

any

all-nets

core

wan_ip

http SETDEST wwwsrv 80

2

SAT

lan

wwwsrv

any

all-nets

80 -> All SETSRC wan_ip 80

3

NAT

lan

lannet

any

all-nets

All

4

FwdFast

any

all-nets

core

wan_ip

http

5

FwdFast

lan

wwwsrv

any

all-nets

80 -> All

What happens now?

External traffic to wan_ip:80 will match rules 1 and 4, and will be sent to wwwsrv. Correct.

Return traffic from wwwsrv:80 will match rules 2 and 3. The replies will therefore be
dynamically address translated. This changes the source port to a completely different port,
which will not work.

The problem can be solved using the following rule set:

#

Action

Src Iface

Src Net

Dest Iface

Dest Net

Parameters

1

SAT

any

all-nets

core

wan_ip

http SETDEST wwwsrv 80

2

SAT

lan

wwwsrv

any

all-nets

80 -> All SETSRC wan_ip 80

3

FwdFast

lan

wwwsrv

any

all-nets

80 -> All

4

NAT

lan

lannet

any

all-nets

All

5

FwdFast

lan

wwwsrv

any

all-nets

80 -> All

External traffic to wan_ip:80 will match rules 1 and 5, and will be sent to wwwsrv.

Return traffic from wwwsrv:80 will match rules 2 and 3.

Internal traffic to wan_ip:80 will match rules 1 and 4, and will be sent to wwwsrv. The sender
address will be the D-Link Firewall's internal IP address, guaranteeing that return traffic passes
through the D-Link Firewall.

Return traffic will automatically be handled by the D-Link Firewall's stateful inspection
mechanism.

7.3.7. SAT and FwdFast Rules

Chapter 7. Address Translation

218