Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!
Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!
Act now. This offer ends July 14, 2017.
Course Of The Month
2 days, 21 hours left to enrollBecome a Premium Member and unlock a new, free course in leading technologies each month.
Solved
Firewall questions - a phone device Positron - is in the DMZ but I want to only allow certain IPs
Posted on 2014-01-30
a positron? phone system is on the lan. someone put it on the dmz - it needs to get data? from the Voip provider? but others are hacking into it. the voip provider is saying to white list their IP addresses.
a) can't do that when it's in the DMZ, right?
b) moving it back behind the firewall, I need to know what ports to forward to it, right? they should be able to tell me that?
c) then I have to hope the router will allow enough port forwarding rules?
a) can't do that when it's in the DMZ, right?
b) moving it back behind the firewall, I need to know what ports to forward to it, right? they should be able to tell me that?
c) then I have to hope the router will allow enough port forwarding rules?
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
2-
2
4 Comments
BTW, I live in Warren County, NJ. Now, to your question.
You will be able to port forward a range of ports. If you run a static nat from the trusted Ip or their entire network you should be able to do the same under the port forward rules since you will be specifying the destination Ip (on your local lan) from your static 1:1 NAT rule. Everything headed for that destination host on your local lan from that trusted network should I assume would fall within your port forwarding range.
IE: Static NAT 10.1.1.0 : 192.168.1.242(destination host)
Under the port forward section say you need ports 15000-20000 forward:
IE: Destination: 192.168.1.242 Port Range: 15000 to 20000 Packet type TCP/UDP or both depending on your needs
This will allow only traffic from that outside host to the destination address provided that its only looking for those ports. Everything else is dropped.
Hope this helps.
You will be able to port forward a range of ports. If you run a static nat from the trusted Ip or their entire network you should be able to do the same under the port forward rules since you will be specifying the destination Ip (on your local lan) from your static 1:1 NAT rule. Everything headed for that destination host on your local lan from that trusted network should I assume would fall within your port forwarding range.
IE: Static NAT 10.1.1.0 : 192.168.1.242(destination host)
Under the port forward section say you need ports 15000-20000 forward:
IE: Destination: 192.168.1.242 Port Range: 15000 to 20000 Packet type TCP/UDP or both depending on your needs
This will allow only traffic from that outside host to the destination address provided that its only looking for those ports. Everything else is dropped.
Hope this helps.
Active today
thanks. But what about if there is a range of public IP addresses you want to allow to come in? Depends on the firewall I guess? Either the firewall will accommodate a range / subnet or just have to make several rules and hope the firewall can accommodate that many?
forward ports 15000 to 20000 from 4.3.3.3 to 192.168.1.50
forward ports 15000 to 20000 from 4.3.3.4 to 192.168.1.50
forward ports 15000 to 20000 from 4.3.3.5 to 192.168.1.50
forward ports 15000 to 20000 from 4.3.3.6 to 192.168.1.50
forward ports 15000 to 20000 from 4.3.3.7 to 192.168.1.50
forward ports 15000 to 20000 from 4.3.3.8 to 192.168.1.50
rather than the easier:
forward ports 15000 to 20000 from 4.3.3.0/24 to 192.168.1.50
(yeah, /24 is more than the 6 I mention above... but just using it as an example : )
forward ports 15000 to 20000 from 4.3.3.3 to 192.168.1.50
forward ports 15000 to 20000 from 4.3.3.4 to 192.168.1.50
forward ports 15000 to 20000 from 4.3.3.5 to 192.168.1.50
forward ports 15000 to 20000 from 4.3.3.6 to 192.168.1.50
forward ports 15000 to 20000 from 4.3.3.7 to 192.168.1.50
forward ports 15000 to 20000 from 4.3.3.8 to 192.168.1.50
rather than the easier:
forward ports 15000 to 20000 from 4.3.3.0/24 to 192.168.1.50
(yeah, /24 is more than the 6 I mention above... but just using it as an example : )
You can on some devices set an ip range. However, with the one you are referring to, I don't believe that option is available. So, to save yourself the hassle, you may have to either choose one of the following and then make only 1 port forwarding rule under the port forwarding section.
Option 1:
1) Static route 4.3.3.0 to 192.168.1.50 (this will include any address in that subnet provided you know that they are all trusted from your provider of VOIP)
Then open the specified port range and set the destination host address as 192.168.1.50
Option 2:
Static route(Whitelist):
4.3.3.3 : 192.168.1.50
4.3.3.4 : 192.168.1.50
4.3.3.5 : 192.168.1.50
4.3.3.6 : 192.168.1.50
4.3.3.7 : 192.168.1.50
4.3.3.8 : 192.168.1.50
If you can't get a definitive answer from your VOIP provider, then option 2 is the best bet. Remember, set the static routes in your whitelist section. Then, you will only need to add 1 service type and port range in your port forwarding section pointing towards your host of 192.168.1.50.
This way, any traffic coming from 4.3.3.0 hitting your Ip will get dropped if its not looking for those ports you specify. Hope this helps.
Option 1:
1) Static route 4.3.3.0 to 192.168.1.50 (this will include any address in that subnet provided you know that they are all trusted from your provider of VOIP)
Then open the specified port range and set the destination host address as 192.168.1.50
Option 2:
Static route(Whitelist):
4.3.3.3 : 192.168.1.50
4.3.3.4 : 192.168.1.50
4.3.3.5 : 192.168.1.50
4.3.3.6 : 192.168.1.50
4.3.3.7 : 192.168.1.50
4.3.3.8 : 192.168.1.50
If you can't get a definitive answer from your VOIP provider, then option 2 is the best bet. Remember, set the static routes in your whitelist section. Then, you will only need to add 1 service type and port range in your port forwarding section pointing towards your host of 192.168.1.50.
This way, any traffic coming from 4.3.3.0 hitting your Ip will get dropped if its not looking for those ports you specify. Hope this helps.
Featured Post
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
- Superb Internet
- Hardware Firewalls
- Security
- Server Hardware
- Server Software
- *firewall management, *firewalls
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Suggested Courses
Course of the Month2 days, 21 hours left to enroll
695 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.