D-Link DFL-1100 Product Manual - Page 126

Appendix C: Multiple Public IP addresses

Page 126 highlights

Appendix C: Multiple Public IP addresses Mapping of a Public IP address other than that of the Firewall to a Server located on either internal interface can be accomplished in two basic steps (order does not matter): add a Port Mapping/Virtual Server rule that forwards specified services to a single LAN or DMZ host to be accessible through a WAN IP not used by the DFL-1100; add a static route in the firewall's routing table indicating the internal interface to which the Public IP should be mapped. For an increased level of protection from Network Intrusions or malicious attacks, isolation of servers accessible to the public from the Private network is recommended. This will ensure that if one of those servers happens to become compromised through vulnerabilities related to software, an attacker would not be able to directly access the private internal Network. The DFL-1100 provides a physical DMZ network interface specifically for this purpose. This can be accomplished with NAT disabled or enabled on the DMZ interface. Example Scenario using NAT: The firewall is configured using the following scheme in order to allow Internet hosts access to web services running on either the internal LAN or DMZ Network The goal is to map two internal web servers (port 80) to two Public IP addresses provided by our ISP. Host Interface Firewall LAN Firewall DMZ Web Server on LAN Web Server on DMZ Private IP 192.168.2.1 192.168.10.1 192.168.2.50 192.168.10.100 Public IP 80.80.80.80 80.80.80.80 80.80.80.81 80.80.80.82 126

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
  • 123
  • 124
  • 125
  • 126
  • 127
  • 128
  • 129
  • 130
  • 131
  • 132
  • 133
  • 134
  • 135
  • 136
  • 137
  • 138
  • 139
  • 140
  • 141
  • 142
  • 143
  • 144

126
Appendix C: Multiple Public IP addresses
Mapping of a Public IP address other than that of the Firewall to a Server located on either
internal interface can be accomplished in two basic steps (order does not matter): add a Port
Mapping/Virtual Server rule that forwards specified services to a single LAN or DMZ host to
be accessible through a WAN IP not used by the DFL-1100; add a static route in the firewall’s
routing table indicating the internal interface to which the Public IP should be mapped.
For an
increased level of protection from Network Intrusions or malicious attacks, isolation of servers
accessible to the public from the Private network is recommended.
This will ensure that if one
of those servers happens to become compromised through vulnerabilities related to software,
an attacker would not be able to directly access the private internal Network.
The DFL-1100
provides a physical DMZ network interface specifically for this purpose.
This can be
accomplished with NAT disabled or enabled on the DMZ interface.
Example Scenario using NAT:
The firewall is configured using the following scheme in order to allow Internet hosts
access to web services running on either the internal LAN or DMZ Network
The goal is to map two internal web servers (port 80) to two Public IP addresses provided
by our ISP.
Host Interface
Private IP
Public IP
Firewall LAN
192.168.2.1
80.80.80.80
Firewall DMZ
192.168.10.1
80.80.80.80
Web Server on LAN
192.168.2.50
80.80.80.81
Web Server on DMZ
192.168.10.100
80.80.80.82