Solved

Port Forwarding

Posted on 2010-11-23
32
3,845 Views
Last Modified: 2012-05-10
Hello there,

i want to redesign my network for security reasons. the company has some static IPs. we have 1web server,2 application server (AS). the AS is used by the staff to do their everyday tasks. we also have branch offices around the country and these branch users connect remotely via RDP to the AS and do their work. these servers are directly connect to the a D-Link switch on which the ISP internet is connected.then we have another D-Link switch which again the servers are connected to. I mean these servers have two NICs,one of these NIC is WAN and another as LAN. the LAN is for the local users and the WAN for the remote users.
Now I want to put a UTM between the ISP internet and the local network. the UTM i have selected is Zentyal(EBox). i have setup a machine for Zentyal. now my question is how do i forward 3 static ips to the respective servers i.e. 2 AS and 1 WS.
the Port Forwarding of Zentyal has these parameters.

my setup is like this eth0 is WAN and eth1 is LAN. Now....when i go to Firewall--> Port Forwarding

please help me to config a new forwarding

Interface: what do i need to select
Original destination: what do i select
Original destination port: I will select Single port: 3389 (correct??)
Protocol: TCP (correct??)
Source:what do i select
Destination IP: ??
Port:??


cheers
Zolf
0
Comment
Question by:zolf
  • 18
  • 8
  • 6
32 Comments
 
LVL 16

Expert Comment

by:Blaz
ID: 34195243
I know nothing of Zentyal(EBox), but from the names of the settings I think:

Interface: eth0
Original destination: <Public_IP_1>
Original destination port: I will select Single port: 3389 (correct? - yes. You could also change the port to avoid portscans
Protocol: TCP
Source: what are the options? All
Destination IP: <LAN_IP_of_AS1>
Port: 3389

0
 

Author Comment

by:zolf
ID: 34195267

thanks for your feedback.
you see at present without the firewall. my 2 AS have ip xx.xxx.xxx.133 and xx.xxx.xxx.134 and my WS has ip xx.xxx.xxx.171.
now from the internet when users RDP the AS,then connect directly to the AS or when i enter the ip of the WS,the website opens.NOW
when i will place the firewall between the internet and the local network and give static ip xx.xxx.xxx.170 to the firewall's WAN NIC and 192.168.0.8 to the LAN NIC, how will i forward the WS ip 134 to 192.168.0.1 or WS ip 133 to 192.168.0.2 or the WS ip 171 to 192.168.0.3.
please help me solve this issue i am facing
0
 
LVL 3

Assisted Solution

by:khuphuc
khuphuc earned 50 total points
ID: 34195297
The WAN IP of your three server (1 Web + 2 App) are public's ip?, how you branch office reach it, trought witch of these situation:

1.- 3 Publics IP
   web: 1.1.1.1 - web.domain.com
  app1: 1.1.1.2 - app1.domain.com
  app2: 1.1.1.3 - app2.domain.com

Logica Schema
servers (Public IP) ----> Internet


2.- 1 Public IP (maybe your router ISP ones)
  web: 2.2.2.2:3389 - domain.com:3389
  app1: 2.2.2.2:3390 - domain.com:3390
  app2: 2.2.2.2:3391 - domain.com:3391

Logica Schema

servers (Private IP) ----> ISP Router (Public IP)

it's important to understand the problem know




0
 
LVL 16

Expert Comment

by:Blaz
ID: 34195318
You have to assign all the public IPs to the WAN on your firewall!

If this can't be done you could assign all services to a single public IP - port 80 forward to WS, port 1234 forward to AS1:3389 and port 1235 forward to AS2:3389
0
 

Author Comment

by:zolf
ID: 34195322

you see at present all the 3 servers have 2 NICs one for LAN and one for WAN. remote users connect to the servers using the public static IP's and the local use the local static IPs. the AS connect via RDP and the WS via browser.

internet --> switch-->Servers
0
 

Author Comment

by:zolf
ID: 34195328

>>You have to assign all the public IPs to the WAN on your firewall!
you mean i will have to install 4 NICs

1. AS1
2. AS2
3. WS
4. WAN
0
 

Author Comment

by:zolf
ID: 34195353

the interface for Port Forwarding looks like this
z3.gif
0
 
LVL 3

Expert Comment

by:khuphuc
ID: 34195456
If you want to use port forwarding yo have to install as many nic as publics ip you have to publish on internet,

i suggest you use a firewall packet filter option, and connect you system in this mode,

immagine that you zentyal config are:

eth0 nic lan (private IP)
eth1 nic Wan lan (public  IP, just one)
eth2 WAN SRV lan (public IP)

then the logical configuration to use is
Servers (WEB+APP) WAN NIC ---> D-link WAN Switch ---> eth2 WAN SRV lan

and use you packet filter rules

someting like

source IP Any/or you ip branck office (if it's static)
Source Port Any

destination IP: Web Public IP (1st rule), App1 (2nd.rule), App2 (3 rule),  ecc
Destination port: 3389 always

protocol tcp

that all, without a lot of configuration or modification? could it help?

0
 

Author Comment

by:zolf
ID: 34195476

thanks a lot for your help.

>>eth2 WAN SRV lan (public IP)
what is the use of this
0
 

Author Comment

by:zolf
ID: 34195514

this is the option i have under Packet Filtering
z4.gif
z5.gif
0
 
LVL 3

Expert Comment

by:khuphuc
ID: 34195570
Z4.gif it's ok you choose the right link


z5.gif  

Source: ANY ---  blank  / 32
Destination: Destination IP -  WEB Server IP / 32


the trick is that you have to config these firewall to make routing throught 2 networks (internet and the WAN Networks servers nics), these is the reason of i suggest you and eth2 WAN SRV lan (public IP) as additional nic to communicate to the firewall, a kind of DMZ, but in this case, you server have 2 nic (wan/lan), it's become a short-circuit. and you lan security depend of the rdp server that your publishing. but it's another history
0
 
LVL 16

Expert Comment

by:Blaz
ID: 34195873
> you mean i will have to install 4 NICs
No. You can assign multiple IPs to a single interface/network card.

Go to network -> interfaces -> eth0.
You now have configured the WAN IP as x.x.x.170. Just add virtual interfaces with IPs xx.xxx.xxx.133, xx.xxx.xxx.134, xx.xxx.xxx.171


> you see at present all the 3 servers have 2 NICs one for LAN and one for WAN.
> remote users connect to the servers using the public static IP's and the local
> use the local static IPs. the AS connect via RDP and the WS via browser.
> internet --> switch-->Servers

The access will stay the same. Only that the servers will connect only to LAN and not WAN anymore - they will be connected to WAN through your firewall.
internet -> firewall -> LAN -> servers

This is why you must add port forwarding to the firewall - to redirect packets comming from WAN to the correct server on LAN.
0
 

Author Comment

by:zolf
ID: 34203169

guys please have a look at the network i have now and what i want to acheive with your help.
K-Network.gif
K-Network-1.gif
0
 

Author Comment

by:zolf
ID: 34203218

please bear with me
0
 
LVL 16

Accepted Solution

by:
Blaz earned 450 total points
ID: 34203220
This is exactly how I undersood (and others too).

For this to work you definitely have to assign all 3 (4?) public IPs to eth0 (as described in my last comment - virtual interfaces).

Then you must create 3 port forwarding rules:

Interface: eth0
Original destination: <The name of the virtual interface with IP x.x.x.133>
Original destination port: 3389
Protocol: TCP
Source: Any
Destination IP: 192.168.0.1
Port: Same

Interface: eth0
Original destination: <The name of the virtual interface with IP x.x.x.134>
Original destination port: 3389
Protocol: TCP
Source: Any
Destination IP: 192.168.0.2
Port: Same

Interface: eth0
Original destination: <The name of the virtual interface with IP x.x.x.171>
Original destination port: 80
Protocol: TCP
Source: Any
Destination IP: 192.168.0.5
Port: Same


You must also create 3 packet filter rules to allow that traffic:

Decision: ACCEPT
Source: ANY
Destination: 192.168.0.1
Service: TCP RDP - 3389

Decision: ACCEPT
Source: ANY
Destination: 192.168.0.2
Service: TCP RDP - 3389

Decision: ACCEPT
Source: ANY
Destination: 192.168.0.5
Service: TCP HTTP - 80
0
 

Author Comment

by:zolf
ID: 34203851

when i try to create a virtual interface ,i get error saying Invalid Interface name: Web Server
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 

Author Comment

by:zolf
ID: 34203880

ok,for some reason it does not like a space between the name.it accepted "webserver"
0
 

Author Comment

by:zolf
ID: 34203917

>>You must also create 3 packet filter rules to allow that traffic:
can you please tell m efrom the image i attached above,which option i need to go to,to create packet filter
0
 
LVL 16

Expert Comment

by:Blaz
ID: 34203932
I did write the options:

Decision: ACCEPT
Source: ANY
Destination: 192.168.0.1
Service: TCP RDP - 3389

Decision: ACCEPT
Source: ANY
Destination: 192.168.0.2
Service: TCP RDP - 3389

Decision: ACCEPT
Source: ANY
Destination: 192.168.0.5
Service: TCP HTTP - 80
0
 

Author Comment

by:zolf
ID: 34203997

I did write the options:
yes,thanks that was very helpful.

can you please tell me which of these do i select.

It’s possible to define 5 different sections of rules depending on the work flow of the traffic we are addressing:

 • Traffic from internal networks to Zentyal (example: allow access to the file server from the local network).
 • Traffic between internal networks and from internal networks to the Internet (example: restrict access to Internet or to specific addresses to some internal clients and restrict communication between internal networks)
 • Traffic from Zentyal to external networks (example: allow to download files using HTTP from the server itself).
 • Traffic from external networks to Zentyal (example: Allow the mail server to receive messages from the internet).
 • Traffic from external networks to internal networks (example: allow access to a internal server from the Internet).
0
 
LVL 16

Expert Comment

by:Blaz
ID: 34204027
Traffic from external networks to internal networks
0
 

Author Comment

by:zolf
ID: 34204209

thanks a lot for your help.appreciate your help
0
 
LVL 3

Expert Comment

by:khuphuc
ID: 34204230
Hi i try to describe all the process to produce a config that permit you to reduce the branch office configuration, and increasing the order and security,

1.- Core > Network > Interface > eth0
Name: eth0
Method: static
External WAN: Check
Ip Address: 72.121.131.197
Netmask: i guess 255.255.255.240

Virtual interface: (You have to add three of them)
a) Name: ws - IP Address: 72.121.131.171 - Netmask: (i guess 255.255.255.240)
b) Name: as1 - IP Address: 72.121.131.133 - Netmask: (i guess 255.255.255.240)
c) Name: as2 - IP Address: 72.121.131.134 - Netmask: (i guess 255.255.255.240)

2.- Core > Network > Interface > eth1
Name: eth1
Method: static
External WAN: non Check
Ip Address: 192.168.0.8
Netmask: i guess 255.255.255.0

3.- UTM > Firewall > Port Forwarding (you have to create 3)
a)
Interface eth0:ws
Original destination: Zentyal
Original destination port: Single Port - i guess 80 if you use a default web server, 443 it's ssl web server)
protocol:TCP
Source: Any
Destination IP: 192.168.0.3
Port Same
b)
Interface eth0:as1
Original destination: Zentyal
Original destination port: Single Port -3389
protocol:TCP
Source: Any
Destination IP: 192.168.0.1
Port Same
c)
Interface eth0:as2
Original destination: Zentyal
Original destination port: Single Port -3389
protocol:TCP
Source: Any
Destination IP: 192.168.0.2
Port Same

hope that's helps
0
 

Author Comment

by:zolf
ID: 34204248

khuphuc:

thanks for your help. is the netmask 34
0
 
LVL 3

Expert Comment

by:khuphuc
ID: 34204258
Hi i try to describe all the process to produce a config that permit you to reduce the branch office configuration, and increasing the order and security,

1.- Core > Network > Interface > eth0
Name: eth0
Method: static
External WAN: Check
Ip Address: 72.121.131.197
Netmask: 255.255.255.0

Virtual interface: (You have to add three of them)
a) Name: ws - IP Address: 72.121.131.171 - Netmask:  255.255.255.0
b) Name: as1 - IP Address: 72.121.131.133 - Netmask: 255.255.255.0
c) Name: as2 - IP Address: 72.121.131.134 - Netmask: 255.255.255.0

2.- Core > Network > Interface > eth1
Name: eth1
Method: static
External WAN: non Check
Ip Address: 192.168.0.8
Netmask: i guess 255.255.255.0

3.- UTM > Firewall > Port Forwarding (you have to create 3)
a)
Interface eth0:ws
Original destination: Zentyal
Original destination port: Single Port - i guess 80 if you use a default web server, 443 it's ssl web server)
protocol:TCP
Source: Any
Destination IP: 192.168.0.3
Port Same
b)
Interface eth0:as1
Original destination: Zentyal
Original destination port: Single Port -3389
protocol:TCP
Source: Any
Destination IP: 192.168.0.1
Port Same
c)
Interface eth0:as2
Original destination: Zentyal
Original destination port: Single Port -3389
protocol:TCP
Source: Any
Destination IP: 192.168.0.2
Port Same

NO more guest :)
0
 

Author Comment

by:zolf
ID: 34204262
khuphuc:

>>You must also create 3 packet filter rules to allow that traffic:

you did not mention about the packet filter.did you do it intentionally??
0
 
LVL 3

Expert Comment

by:khuphuc
ID: 34204292
it's another type of config, if you use port forwarding, the zentyal know how to do with the request arriving to the eth0:ws, eth0:app1, eth0:app2, then it forward to the correct server WS, app1 and app2, respectly,

if you use a packet filtering rules, as i say yesterday you have to consider another scenario, where the ws, app1, and app2 have an Public ip in there NICS, and using the zentyal as a transparent gateway, then you can use packet filtering, both are the same result, but i prefer nating the internal servers,

:)
0
 

Author Comment

by:zolf
ID: 34204404

>>both are the same result, but i prefer nating the internal servers,

what blaz has said is what. becasue it contains both packet filter and port formwarding

0
 

Author Comment

by:zolf
ID: 34204429

khuphuc:

what you mentioned is same as what Blaz mentioned only difference between your and his instruction is that you only use Port Forwarding,but Blaz goes 1 step further to also config the Packet Filter .
i dont understand this
0
 
LVL 3

Expert Comment

by:khuphuc
ID: 34204437
i'm not sure of zentyal, need the config of the packet filtering when you implement a port forwarding, let's me try, but some firewall as ISA Server, or Smoothwall o PFsense, not need both configuration...
0
 

Author Comment

by:zolf
ID: 34204487

ic,thanks for your help.i will try and if i have issue i will ask question.hope you will be there around to help me
0
 
LVL 3

Expert Comment

by:khuphuc
ID: 34204505
we will
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

There are times where you would like to have access to information that is only available from a different network. This network could be down the hall, or across country. If each of the network sites have access to the internet, you can create a ne…
Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now