D-Link DFL-860E User Manual for DFL-260E - Page 383
SAT and FwdFast Rules, will match rules 2 and 3.
View all D-Link DFL-860E manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 383 highlights
7.4.7. SAT and FwdFast Rules Chapter 7. Address Translation themselves. This will not work, as the packets will be interpreted as coming from the wrong address. We will now try moving the NAT rule between the SAT and FwdFast rules: # Action Src Iface 1 SAT any 2 SAT lan 3 NAT lan 4 FwdFast any 5 FwdFast lan Src Net all-nets wwwsrv lannet all-nets wwwsrv Dest Iface core any any core any Dest Net wan_ip all-nets all-nets wan_ip all-nets Parameters http SETDEST wwwsrv 80 80 -> All SETSRC wan_ip 80 all_services http 80 -> All What happens now? • External traffic to wan_ip:80 will match rules 1 and 4, and will be sent to wwwsrv. Correct. • Return traffic from wwwsrv:80 will match rules 2 and 3. The replies will therefore be dynamically address translated. This changes the source port to a completely different port, which will not work. The problem can be solved using the following rule set: # Action Src Iface 1 SAT any 2 SAT lan 3 FwdFast lan 4 NAT lan 5 FwdFast lan Src Net all-nets wwwsrv wwwsrv lannet wwwsrv Dest Iface core any any any any Dest Net wan_ip all-nets all-nets all-nets all-nets Parameters http SETDEST wwwsrv 80 80 -> All SETSRC wan_ip 80 80 -> All all_services 80 -> All • External traffic to wan_ip:80 will match rules 1 and 5 and will be sent to wwwsrv. • Return traffic from wwwsrv:80 will match rules 2 and 3. • Internal traffic to wan_ip:80 will match rules 1 and 4, and will be sent to wwwsrv. The sender address will be the NetDefend Firewall's internal IP address, guaranteeing that return traffic passes through the NetDefend Firewall. • Return traffic will automatically be handled by the NetDefend Firewall's stateful inspection mechanism. 383