Solved

Port Forwarding

Posted on 2010-11-23
32
3,910 Views
Last Modified: 2012-05-10
Hello there,

i want to redesign my network for security reasons. the company has some static IPs. we have 1web server,2 application server (AS). the AS is used by the staff to do their everyday tasks. we also have branch offices around the country and these branch users connect remotely via RDP to the AS and do their work. these servers are directly connect to the a D-Link switch on which the ISP internet is connected.then we have another D-Link switch which again the servers are connected to. I mean these servers have two NICs,one of these NIC is WAN and another as LAN. the LAN is for the local users and the WAN for the remote users.
Now I want to put a UTM between the ISP internet and the local network. the UTM i have selected is Zentyal(EBox). i have setup a machine for Zentyal. now my question is how do i forward 3 static ips to the respective servers i.e. 2 AS and 1 WS.
the Port Forwarding of Zentyal has these parameters.

my setup is like this eth0 is WAN and eth1 is LAN. Now....when i go to Firewall--> Port Forwarding

please help me to config a new forwarding

Interface: what do i need to select
Original destination: what do i select
Original destination port: I will select Single port: 3389 (correct??)
Protocol: TCP (correct??)
Source:what do i select
Destination IP: ??
Port:??


cheers
Zolf
0
Comment
Question by:zolf
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 18
  • 8
  • 6
32 Comments
 
LVL 16

Expert Comment

by:Blaz
ID: 34195243
I know nothing of Zentyal(EBox), but from the names of the settings I think:

Interface: eth0
Original destination: <Public_IP_1>
Original destination port: I will select Single port: 3389 (correct? - yes. You could also change the port to avoid portscans
Protocol: TCP
Source: what are the options? All
Destination IP: <LAN_IP_of_AS1>
Port: 3389

0
 

Author Comment

by:zolf
ID: 34195267

thanks for your feedback.
you see at present without the firewall. my 2 AS have ip xx.xxx.xxx.133 and xx.xxx.xxx.134 and my WS has ip xx.xxx.xxx.171.
now from the internet when users RDP the AS,then connect directly to the AS or when i enter the ip of the WS,the website opens.NOW
when i will place the firewall between the internet and the local network and give static ip xx.xxx.xxx.170 to the firewall's WAN NIC and 192.168.0.8 to the LAN NIC, how will i forward the WS ip 134 to 192.168.0.1 or WS ip 133 to 192.168.0.2 or the WS ip 171 to 192.168.0.3.
please help me solve this issue i am facing
0
 
LVL 3

Assisted Solution

by:khuphuc
khuphuc earned 50 total points
ID: 34195297
The WAN IP of your three server (1 Web + 2 App) are public's ip?, how you branch office reach it, trought witch of these situation:

1.- 3 Publics IP
   web: 1.1.1.1 - web.domain.com
  app1: 1.1.1.2 - app1.domain.com
  app2: 1.1.1.3 - app2.domain.com

Logica Schema
servers (Public IP) ----> Internet


2.- 1 Public IP (maybe your router ISP ones)
  web: 2.2.2.2:3389 - domain.com:3389
  app1: 2.2.2.2:3390 - domain.com:3390
  app2: 2.2.2.2:3391 - domain.com:3391

Logica Schema

servers (Private IP) ----> ISP Router (Public IP)

it's important to understand the problem know




0
Simple, centralized multimedia control

Watch and learn to see how ATEN provided an easy and effective way for three jointly-owned pubs to control the 60 televisions located across their three venues utilizing the ATEN Control System, Modular Matrix Switch and HDBaseT extenders.

 
LVL 16

Expert Comment

by:Blaz
ID: 34195318
You have to assign all the public IPs to the WAN on your firewall!

If this can't be done you could assign all services to a single public IP - port 80 forward to WS, port 1234 forward to AS1:3389 and port 1235 forward to AS2:3389
0
 

Author Comment

by:zolf
ID: 34195322

you see at present all the 3 servers have 2 NICs one for LAN and one for WAN. remote users connect to the servers using the public static IP's and the local use the local static IPs. the AS connect via RDP and the WS via browser.

internet --> switch-->Servers
0
 

Author Comment

by:zolf
ID: 34195328

>>You have to assign all the public IPs to the WAN on your firewall!
you mean i will have to install 4 NICs

1. AS1
2. AS2
3. WS
4. WAN
0
 

Author Comment

by:zolf
ID: 34195353

the interface for Port Forwarding looks like this
z3.gif
0
 
LVL 3

Expert Comment

by:khuphuc
ID: 34195456
If you want to use port forwarding yo have to install as many nic as publics ip you have to publish on internet,

i suggest you use a firewall packet filter option, and connect you system in this mode,

immagine that you zentyal config are:

eth0 nic lan (private IP)
eth1 nic Wan lan (public  IP, just one)
eth2 WAN SRV lan (public IP)

then the logical configuration to use is
Servers (WEB+APP) WAN NIC ---> D-link WAN Switch ---> eth2 WAN SRV lan

and use you packet filter rules

someting like

source IP Any/or you ip branck office (if it's static)
Source Port Any

destination IP: Web Public IP (1st rule), App1 (2nd.rule), App2 (3 rule),  ecc
Destination port: 3389 always

protocol tcp

that all, without a lot of configuration or modification? could it help?

0
 

Author Comment

by:zolf
ID: 34195476

thanks a lot for your help.

>>eth2 WAN SRV lan (public IP)
what is the use of this
0
 

Author Comment

by:zolf
ID: 34195514

this is the option i have under Packet Filtering
z4.gif
z5.gif
0
 
LVL 3

Expert Comment

by:khuphuc
ID: 34195570
Z4.gif it's ok you choose the right link


z5.gif  

Source: ANY ---  blank  / 32
Destination: Destination IP -  WEB Server IP / 32


the trick is that you have to config these firewall to make routing throught 2 networks (internet and the WAN Networks servers nics), these is the reason of i suggest you and eth2 WAN SRV lan (public IP) as additional nic to communicate to the firewall, a kind of DMZ, but in this case, you server have 2 nic (wan/lan), it's become a short-circuit. and you lan security depend of the rdp server that your publishing. but it's another history
0
 
LVL 16

Expert Comment

by:Blaz
ID: 34195873
> you mean i will have to install 4 NICs
No. You can assign multiple IPs to a single interface/network card.

Go to network -> interfaces -> eth0.
You now have configured the WAN IP as x.x.x.170. Just add virtual interfaces with IPs xx.xxx.xxx.133, xx.xxx.xxx.134, xx.xxx.xxx.171


> you see at present all the 3 servers have 2 NICs one for LAN and one for WAN.
> remote users connect to the servers using the public static IP's and the local
> use the local static IPs. the AS connect via RDP and the WS via browser.
> internet --> switch-->Servers

The access will stay the same. Only that the servers will connect only to LAN and not WAN anymore - they will be connected to WAN through your firewall.
internet -> firewall -> LAN -> servers

This is why you must add port forwarding to the firewall - to redirect packets comming from WAN to the correct server on LAN.
0
 

Author Comment

by:zolf
ID: 34203169

guys please have a look at the network i have now and what i want to acheive with your help.
K-Network.gif
K-Network-1.gif
0
 

Author Comment

by:zolf
ID: 34203218

please bear with me
0
 
LVL 16

Accepted Solution

by:
Blaz earned 450 total points
ID: 34203220
This is exactly how I undersood (and others too).

For this to work you definitely have to assign all 3 (4?) public IPs to eth0 (as described in my last comment - virtual interfaces).

Then you must create 3 port forwarding rules:

Interface: eth0
Original destination: <The name of the virtual interface with IP x.x.x.133>
Original destination port: 3389
Protocol: TCP
Source: Any
Destination IP: 192.168.0.1
Port: Same

Interface: eth0
Original destination: <The name of the virtual interface with IP x.x.x.134>
Original destination port: 3389
Protocol: TCP
Source: Any
Destination IP: 192.168.0.2
Port: Same

Interface: eth0
Original destination: <The name of the virtual interface with IP x.x.x.171>
Original destination port: 80
Protocol: TCP
Source: Any
Destination IP: 192.168.0.5
Port: Same


You must also create 3 packet filter rules to allow that traffic:

Decision: ACCEPT
Source: ANY
Destination: 192.168.0.1
Service: TCP RDP - 3389

Decision: ACCEPT
Source: ANY
Destination: 192.168.0.2
Service: TCP RDP - 3389

Decision: ACCEPT
Source: ANY
Destination: 192.168.0.5
Service: TCP HTTP - 80
0
 

Author Comment

by:zolf
ID: 34203851

when i try to create a virtual interface ,i get error saying Invalid Interface name: Web Server
0
 

Author Comment

by:zolf
ID: 34203880

ok,for some reason it does not like a space between the name.it accepted "webserver"
0
 

Author Comment

by:zolf
ID: 34203917

>>You must also create 3 packet filter rules to allow that traffic:
can you please tell m efrom the image i attached above,which option i need to go to,to create packet filter
0
 
LVL 16

Expert Comment

by:Blaz
ID: 34203932
I did write the options:

Decision: ACCEPT
Source: ANY
Destination: 192.168.0.1
Service: TCP RDP - 3389

Decision: ACCEPT
Source: ANY
Destination: 192.168.0.2
Service: TCP RDP - 3389

Decision: ACCEPT
Source: ANY
Destination: 192.168.0.5
Service: TCP HTTP - 80
0
 

Author Comment

by:zolf
ID: 34203997

I did write the options:
yes,thanks that was very helpful.

can you please tell me which of these do i select.

It’s possible to define 5 different sections of rules depending on the work flow of the traffic we are addressing:

 • Traffic from internal networks to Zentyal (example: allow access to the file server from the local network).
 • Traffic between internal networks and from internal networks to the Internet (example: restrict access to Internet or to specific addresses to some internal clients and restrict communication between internal networks)
 • Traffic from Zentyal to external networks (example: allow to download files using HTTP from the server itself).
 • Traffic from external networks to Zentyal (example: Allow the mail server to receive messages from the internet).
 • Traffic from external networks to internal networks (example: allow access to a internal server from the Internet).
0
 
LVL 16

Expert Comment

by:Blaz
ID: 34204027
Traffic from external networks to internal networks
0
 

Author Comment

by:zolf
ID: 34204209

thanks a lot for your help.appreciate your help
0
 
LVL 3

Expert Comment

by:khuphuc
ID: 34204230
Hi i try to describe all the process to produce a config that permit you to reduce the branch office configuration, and increasing the order and security,

1.- Core > Network > Interface > eth0
Name: eth0
Method: static
External WAN: Check
Ip Address: 72.121.131.197
Netmask: i guess 255.255.255.240

Virtual interface: (You have to add three of them)
a) Name: ws - IP Address: 72.121.131.171 - Netmask: (i guess 255.255.255.240)
b) Name: as1 - IP Address: 72.121.131.133 - Netmask: (i guess 255.255.255.240)
c) Name: as2 - IP Address: 72.121.131.134 - Netmask: (i guess 255.255.255.240)

2.- Core > Network > Interface > eth1
Name: eth1
Method: static
External WAN: non Check
Ip Address: 192.168.0.8
Netmask: i guess 255.255.255.0

3.- UTM > Firewall > Port Forwarding (you have to create 3)
a)
Interface eth0:ws
Original destination: Zentyal
Original destination port: Single Port - i guess 80 if you use a default web server, 443 it's ssl web server)
protocol:TCP
Source: Any
Destination IP: 192.168.0.3
Port Same
b)
Interface eth0:as1
Original destination: Zentyal
Original destination port: Single Port -3389
protocol:TCP
Source: Any
Destination IP: 192.168.0.1
Port Same
c)
Interface eth0:as2
Original destination: Zentyal
Original destination port: Single Port -3389
protocol:TCP
Source: Any
Destination IP: 192.168.0.2
Port Same

hope that's helps
0
 

Author Comment

by:zolf
ID: 34204248

khuphuc:

thanks for your help. is the netmask 34
0
 
LVL 3

Expert Comment

by:khuphuc
ID: 34204258
Hi i try to describe all the process to produce a config that permit you to reduce the branch office configuration, and increasing the order and security,

1.- Core > Network > Interface > eth0
Name: eth0
Method: static
External WAN: Check
Ip Address: 72.121.131.197
Netmask: 255.255.255.0

Virtual interface: (You have to add three of them)
a) Name: ws - IP Address: 72.121.131.171 - Netmask:  255.255.255.0
b) Name: as1 - IP Address: 72.121.131.133 - Netmask: 255.255.255.0
c) Name: as2 - IP Address: 72.121.131.134 - Netmask: 255.255.255.0

2.- Core > Network > Interface > eth1
Name: eth1
Method: static
External WAN: non Check
Ip Address: 192.168.0.8
Netmask: i guess 255.255.255.0

3.- UTM > Firewall > Port Forwarding (you have to create 3)
a)
Interface eth0:ws
Original destination: Zentyal
Original destination port: Single Port - i guess 80 if you use a default web server, 443 it's ssl web server)
protocol:TCP
Source: Any
Destination IP: 192.168.0.3
Port Same
b)
Interface eth0:as1
Original destination: Zentyal
Original destination port: Single Port -3389
protocol:TCP
Source: Any
Destination IP: 192.168.0.1
Port Same
c)
Interface eth0:as2
Original destination: Zentyal
Original destination port: Single Port -3389
protocol:TCP
Source: Any
Destination IP: 192.168.0.2
Port Same

NO more guest :)
0
 

Author Comment

by:zolf
ID: 34204262
khuphuc:

>>You must also create 3 packet filter rules to allow that traffic:

you did not mention about the packet filter.did you do it intentionally??
0
 
LVL 3

Expert Comment

by:khuphuc
ID: 34204292
it's another type of config, if you use port forwarding, the zentyal know how to do with the request arriving to the eth0:ws, eth0:app1, eth0:app2, then it forward to the correct server WS, app1 and app2, respectly,

if you use a packet filtering rules, as i say yesterday you have to consider another scenario, where the ws, app1, and app2 have an Public ip in there NICS, and using the zentyal as a transparent gateway, then you can use packet filtering, both are the same result, but i prefer nating the internal servers,

:)
0
 

Author Comment

by:zolf
ID: 34204404

>>both are the same result, but i prefer nating the internal servers,

what blaz has said is what. becasue it contains both packet filter and port formwarding

0
 

Author Comment

by:zolf
ID: 34204429

khuphuc:

what you mentioned is same as what Blaz mentioned only difference between your and his instruction is that you only use Port Forwarding,but Blaz goes 1 step further to also config the Packet Filter .
i dont understand this
0
 
LVL 3

Expert Comment

by:khuphuc
ID: 34204437
i'm not sure of zentyal, need the config of the packet filtering when you implement a port forwarding, let's me try, but some firewall as ISA Server, or Smoothwall o PFsense, not need both configuration...
0
 

Author Comment

by:zolf
ID: 34204487

ic,thanks for your help.i will try and if i have issue i will ask question.hope you will be there around to help me
0
 
LVL 3

Expert Comment

by:khuphuc
ID: 34204505
we will
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is a step by step guide on how to create a basic PTP link using Ubiquiti airOS devices. This guide can be used on the following Ubiquiti AirMAX devices. Nanostation, Bullets, AirBridge, Nanobeam, NanoBridge to name a few. Please review …
Security is one of the biggest concerns when moving and migrating your data from your on-premise location to the Public Cloud.  Where is your data? Who can access it? Will it be safe from accidental deletion?  All of these questions and more are imp…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question