Zolf
asked on
Port Forwarding
Hello there,
i want to redesign my network for security reasons. the company has some static IPs. we have 1web server,2 application server (AS). the AS is used by the staff to do their everyday tasks. we also have branch offices around the country and these branch users connect remotely via RDP to the AS and do their work. these servers are directly connect to the a D-Link switch on which the ISP internet is connected.then we have another D-Link switch which again the servers are connected to. I mean these servers have two NICs,one of these NIC is WAN and another as LAN. the LAN is for the local users and the WAN for the remote users.
Now I want to put a UTM between the ISP internet and the local network. the UTM i have selected is Zentyal(EBox). i have setup a machine for Zentyal. now my question is how do i forward 3 static ips to the respective servers i.e. 2 AS and 1 WS.
the Port Forwarding of Zentyal has these parameters.
my setup is like this eth0 is WAN and eth1 is LAN. Now....when i go to Firewall--> Port Forwarding
please help me to config a new forwarding
Interface: what do i need to select
Original destination: what do i select
Original destination port: I will select Single port: 3389 (correct??)
Protocol: TCP (correct??)
Source:what do i select
Destination IP: ??
Port:??
cheers
Zolf
i want to redesign my network for security reasons. the company has some static IPs. we have 1web server,2 application server (AS). the AS is used by the staff to do their everyday tasks. we also have branch offices around the country and these branch users connect remotely via RDP to the AS and do their work. these servers are directly connect to the a D-Link switch on which the ISP internet is connected.then we have another D-Link switch which again the servers are connected to. I mean these servers have two NICs,one of these NIC is WAN and another as LAN. the LAN is for the local users and the WAN for the remote users.
Now I want to put a UTM between the ISP internet and the local network. the UTM i have selected is Zentyal(EBox). i have setup a machine for Zentyal. now my question is how do i forward 3 static ips to the respective servers i.e. 2 AS and 1 WS.
the Port Forwarding of Zentyal has these parameters.
my setup is like this eth0 is WAN and eth1 is LAN. Now....when i go to Firewall--> Port Forwarding
please help me to config a new forwarding
Interface: what do i need to select
Original destination: what do i select
Original destination port: I will select Single port: 3389 (correct??)
Protocol: TCP (correct??)
Source:what do i select
Destination IP: ??
Port:??
cheers
Zolf
ASKER
thanks for your feedback.
you see at present without the firewall. my 2 AS have ip xx.xxx.xxx.133 and xx.xxx.xxx.134 and my WS has ip xx.xxx.xxx.171.
now from the internet when users RDP the AS,then connect directly to the AS or when i enter the ip of the WS,the website opens.NOW
when i will place the firewall between the internet and the local network and give static ip xx.xxx.xxx.170 to the firewall's WAN NIC and 192.168.0.8 to the LAN NIC, how will i forward the WS ip 134 to 192.168.0.1 or WS ip 133 to 192.168.0.2 or the WS ip 171 to 192.168.0.3.
please help me solve this issue i am facing
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You have to assign all the public IPs to the WAN on your firewall!
If this can't be done you could assign all services to a single public IP - port 80 forward to WS, port 1234 forward to AS1:3389 and port 1235 forward to AS2:3389
If this can't be done you could assign all services to a single public IP - port 80 forward to WS, port 1234 forward to AS1:3389 and port 1235 forward to AS2:3389
ASKER
you see at present all the 3 servers have 2 NICs one for LAN and one for WAN. remote users connect to the servers using the public static IP's and the local use the local static IPs. the AS connect via RDP and the WS via browser.
internet --> switch-->Servers
ASKER
>>You have to assign all the public IPs to the WAN on your firewall!
you mean i will have to install 4 NICs
1. AS1
2. AS2
3. WS
4. WAN
ASKER
If you want to use port forwarding yo have to install as many nic as publics ip you have to publish on internet,
i suggest you use a firewall packet filter option, and connect you system in this mode,
immagine that you zentyal config are:
eth0 nic lan (private IP)
eth1 nic Wan lan (public IP, just one)
eth2 WAN SRV lan (public IP)
then the logical configuration to use is
Servers (WEB+APP) WAN NIC ---> D-link WAN Switch ---> eth2 WAN SRV lan
and use you packet filter rules
someting like
source IP Any/or you ip branck office (if it's static)
Source Port Any
destination IP: Web Public IP (1st rule), App1 (2nd.rule), App2 (3 rule), ecc
Destination port: 3389 always
protocol tcp
that all, without a lot of configuration or modification? could it help?
i suggest you use a firewall packet filter option, and connect you system in this mode,
immagine that you zentyal config are:
eth0 nic lan (private IP)
eth1 nic Wan lan (public IP, just one)
eth2 WAN SRV lan (public IP)
then the logical configuration to use is
Servers (WEB+APP) WAN NIC ---> D-link WAN Switch ---> eth2 WAN SRV lan
and use you packet filter rules
someting like
source IP Any/or you ip branck office (if it's static)
Source Port Any
destination IP: Web Public IP (1st rule), App1 (2nd.rule), App2 (3 rule), ecc
Destination port: 3389 always
protocol tcp
that all, without a lot of configuration or modification? could it help?
ASKER
thanks a lot for your help.
>>eth2 WAN SRV lan (public IP)
what is the use of this
Z4.gif it's ok you choose the right link
z5.gif
Source: ANY --- blank / 32
Destination: Destination IP - WEB Server IP / 32
the trick is that you have to config these firewall to make routing throught 2 networks (internet and the WAN Networks servers nics), these is the reason of i suggest you and eth2 WAN SRV lan (public IP) as additional nic to communicate to the firewall, a kind of DMZ, but in this case, you server have 2 nic (wan/lan), it's become a short-circuit. and you lan security depend of the rdp server that your publishing. but it's another history
z5.gif
Source: ANY --- blank / 32
Destination: Destination IP - WEB Server IP / 32
the trick is that you have to config these firewall to make routing throught 2 networks (internet and the WAN Networks servers nics), these is the reason of i suggest you and eth2 WAN SRV lan (public IP) as additional nic to communicate to the firewall, a kind of DMZ, but in this case, you server have 2 nic (wan/lan), it's become a short-circuit. and you lan security depend of the rdp server that your publishing. but it's another history
> you mean i will have to install 4 NICs
No. You can assign multiple IPs to a single interface/network card.
Go to network -> interfaces -> eth0.
You now have configured the WAN IP as x.x.x.170. Just add virtual interfaces with IPs xx.xxx.xxx.133, xx.xxx.xxx.134, xx.xxx.xxx.171
> you see at present all the 3 servers have 2 NICs one for LAN and one for WAN.
> remote users connect to the servers using the public static IP's and the local
> use the local static IPs. the AS connect via RDP and the WS via browser.
> internet --> switch-->Servers
The access will stay the same. Only that the servers will connect only to LAN and not WAN anymore - they will be connected to WAN through your firewall.
internet -> firewall -> LAN -> servers
This is why you must add port forwarding to the firewall - to redirect packets comming from WAN to the correct server on LAN.
No. You can assign multiple IPs to a single interface/network card.
Go to network -> interfaces -> eth0.
You now have configured the WAN IP as x.x.x.170. Just add virtual interfaces with IPs xx.xxx.xxx.133, xx.xxx.xxx.134, xx.xxx.xxx.171
> you see at present all the 3 servers have 2 NICs one for LAN and one for WAN.
> remote users connect to the servers using the public static IP's and the local
> use the local static IPs. the AS connect via RDP and the WS via browser.
> internet --> switch-->Servers
The access will stay the same. Only that the servers will connect only to LAN and not WAN anymore - they will be connected to WAN through your firewall.
internet -> firewall -> LAN -> servers
This is why you must add port forwarding to the firewall - to redirect packets comming from WAN to the correct server on LAN.
ASKER
guys please have a look at the network i have now and what i want to acheive with your help.
K-Network.gif
K-Network-1.gif
ASKER
please bear with me
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
when i try to create a virtual interface ,i get error saying Invalid Interface name: Web Server
ASKER
ok,for some reason it does not like a space between the name.it accepted "webserver"
ASKER
>>You must also create 3 packet filter rules to allow that traffic:
can you please tell m efrom the image i attached above,which option i need to go to,to create packet filter
I did write the options:
Decision: ACCEPT
Source: ANY
Destination: 192.168.0.1
Service: TCP RDP - 3389
Decision: ACCEPT
Source: ANY
Destination: 192.168.0.2
Service: TCP RDP - 3389
Decision: ACCEPT
Source: ANY
Destination: 192.168.0.5
Service: TCP HTTP - 80
Decision: ACCEPT
Source: ANY
Destination: 192.168.0.1
Service: TCP RDP - 3389
Decision: ACCEPT
Source: ANY
Destination: 192.168.0.2
Service: TCP RDP - 3389
Decision: ACCEPT
Source: ANY
Destination: 192.168.0.5
Service: TCP HTTP - 80
ASKER
I did write the options:
yes,thanks that was very helpful.
can you please tell me which of these do i select.
It’s possible to define 5 different sections of rules depending on the work flow of the traffic we are addressing:
• Traffic from internal networks to Zentyal (example: allow access to the file server from the local network).
• Traffic between internal networks and from internal networks to the Internet (example: restrict access to Internet or to specific addresses to some internal clients and restrict communication between internal networks)
• Traffic from Zentyal to external networks (example: allow to download files using HTTP from the server itself).
• Traffic from external networks to Zentyal (example: Allow the mail server to receive messages from the internet).
• Traffic from external networks to internal networks (example: allow access to a internal server from the Internet).
Traffic from external networks to internal networks
ASKER
thanks a lot for your help.appreciate your help
Hi i try to describe all the process to produce a config that permit you to reduce the branch office configuration, and increasing the order and security,
1.- Core > Network > Interface > eth0
Name: eth0
Method: static
External WAN: Check
Ip Address: 72.121.131.197
Netmask: i guess 255.255.255.240
Virtual interface: (You have to add three of them)
a) Name: ws - IP Address: 72.121.131.171 - Netmask: (i guess 255.255.255.240)
b) Name: as1 - IP Address: 72.121.131.133 - Netmask: (i guess 255.255.255.240)
c) Name: as2 - IP Address: 72.121.131.134 - Netmask: (i guess 255.255.255.240)
2.- Core > Network > Interface > eth1
Name: eth1
Method: static
External WAN: non Check
Ip Address: 192.168.0.8
Netmask: i guess 255.255.255.0
3.- UTM > Firewall > Port Forwarding (you have to create 3)
a)
Interface eth0:ws
Original destination: Zentyal
Original destination port: Single Port - i guess 80 if you use a default web server, 443 it's ssl web server)
protocol:TCP
Source: Any
Destination IP: 192.168.0.3
Port Same
b)
Interface eth0:as1
Original destination: Zentyal
Original destination port: Single Port -3389
protocol:TCP
Source: Any
Destination IP: 192.168.0.1
Port Same
c)
Interface eth0:as2
Original destination: Zentyal
Original destination port: Single Port -3389
protocol:TCP
Source: Any
Destination IP: 192.168.0.2
Port Same
hope that's helps
1.- Core > Network > Interface > eth0
Name: eth0
Method: static
External WAN: Check
Ip Address: 72.121.131.197
Netmask: i guess 255.255.255.240
Virtual interface: (You have to add three of them)
a) Name: ws - IP Address: 72.121.131.171 - Netmask: (i guess 255.255.255.240)
b) Name: as1 - IP Address: 72.121.131.133 - Netmask: (i guess 255.255.255.240)
c) Name: as2 - IP Address: 72.121.131.134 - Netmask: (i guess 255.255.255.240)
2.- Core > Network > Interface > eth1
Name: eth1
Method: static
External WAN: non Check
Ip Address: 192.168.0.8
Netmask: i guess 255.255.255.0
3.- UTM > Firewall > Port Forwarding (you have to create 3)
a)
Interface eth0:ws
Original destination: Zentyal
Original destination port: Single Port - i guess 80 if you use a default web server, 443 it's ssl web server)
protocol:TCP
Source: Any
Destination IP: 192.168.0.3
Port Same
b)
Interface eth0:as1
Original destination: Zentyal
Original destination port: Single Port -3389
protocol:TCP
Source: Any
Destination IP: 192.168.0.1
Port Same
c)
Interface eth0:as2
Original destination: Zentyal
Original destination port: Single Port -3389
protocol:TCP
Source: Any
Destination IP: 192.168.0.2
Port Same
hope that's helps
ASKER
khuphuc:
thanks for your help. is the netmask 34
Hi i try to describe all the process to produce a config that permit you to reduce the branch office configuration, and increasing the order and security,
1.- Core > Network > Interface > eth0
Name: eth0
Method: static
External WAN: Check
Ip Address: 72.121.131.197
Netmask: 255.255.255.0
Virtual interface: (You have to add three of them)
a) Name: ws - IP Address: 72.121.131.171 - Netmask: 255.255.255.0
b) Name: as1 - IP Address: 72.121.131.133 - Netmask: 255.255.255.0
c) Name: as2 - IP Address: 72.121.131.134 - Netmask: 255.255.255.0
2.- Core > Network > Interface > eth1
Name: eth1
Method: static
External WAN: non Check
Ip Address: 192.168.0.8
Netmask: i guess 255.255.255.0
3.- UTM > Firewall > Port Forwarding (you have to create 3)
a)
Interface eth0:ws
Original destination: Zentyal
Original destination port: Single Port - i guess 80 if you use a default web server, 443 it's ssl web server)
protocol:TCP
Source: Any
Destination IP: 192.168.0.3
Port Same
b)
Interface eth0:as1
Original destination: Zentyal
Original destination port: Single Port -3389
protocol:TCP
Source: Any
Destination IP: 192.168.0.1
Port Same
c)
Interface eth0:as2
Original destination: Zentyal
Original destination port: Single Port -3389
protocol:TCP
Source: Any
Destination IP: 192.168.0.2
Port Same
NO more guest :)
1.- Core > Network > Interface > eth0
Name: eth0
Method: static
External WAN: Check
Ip Address: 72.121.131.197
Netmask: 255.255.255.0
Virtual interface: (You have to add three of them)
a) Name: ws - IP Address: 72.121.131.171 - Netmask: 255.255.255.0
b) Name: as1 - IP Address: 72.121.131.133 - Netmask: 255.255.255.0
c) Name: as2 - IP Address: 72.121.131.134 - Netmask: 255.255.255.0
2.- Core > Network > Interface > eth1
Name: eth1
Method: static
External WAN: non Check
Ip Address: 192.168.0.8
Netmask: i guess 255.255.255.0
3.- UTM > Firewall > Port Forwarding (you have to create 3)
a)
Interface eth0:ws
Original destination: Zentyal
Original destination port: Single Port - i guess 80 if you use a default web server, 443 it's ssl web server)
protocol:TCP
Source: Any
Destination IP: 192.168.0.3
Port Same
b)
Interface eth0:as1
Original destination: Zentyal
Original destination port: Single Port -3389
protocol:TCP
Source: Any
Destination IP: 192.168.0.1
Port Same
c)
Interface eth0:as2
Original destination: Zentyal
Original destination port: Single Port -3389
protocol:TCP
Source: Any
Destination IP: 192.168.0.2
Port Same
NO more guest :)
ASKER
khuphuc:
>>You must also create 3 packet filter rules to allow that traffic:
you did not mention about the packet filter.did you do it intentionally??
>>You must also create 3 packet filter rules to allow that traffic:
you did not mention about the packet filter.did you do it intentionally??
it's another type of config, if you use port forwarding, the zentyal know how to do with the request arriving to the eth0:ws, eth0:app1, eth0:app2, then it forward to the correct server WS, app1 and app2, respectly,
if you use a packet filtering rules, as i say yesterday you have to consider another scenario, where the ws, app1, and app2 have an Public ip in there NICS, and using the zentyal as a transparent gateway, then you can use packet filtering, both are the same result, but i prefer nating the internal servers,
:)
if you use a packet filtering rules, as i say yesterday you have to consider another scenario, where the ws, app1, and app2 have an Public ip in there NICS, and using the zentyal as a transparent gateway, then you can use packet filtering, both are the same result, but i prefer nating the internal servers,
:)
ASKER
>>both are the same result, but i prefer nating the internal servers,
what blaz has said is what. becasue it contains both packet filter and port formwarding
ASKER
khuphuc:
what you mentioned is same as what Blaz mentioned only difference between your and his instruction is that you only use Port Forwarding,but Blaz goes 1 step further to also config the Packet Filter .
i dont understand this
i'm not sure of zentyal, need the config of the packet filtering when you implement a port forwarding, let's me try, but some firewall as ISA Server, or Smoothwall o PFsense, not need both configuration...
ASKER
ic,thanks for your help.i will try and if i have issue i will ask question.hope you will be there around to help me
we will
Interface: eth0
Original destination: <Public_IP_1>
Original destination port: I will select Single port: 3389 (correct? - yes. You could also change the port to avoid portscans
Protocol: TCP
Source: what are the options? All
Destination IP: <LAN_IP_of_AS1>
Port: 3389