First, quick documentation correction: the docs say "Real world addresses can be used on the DMZ network by clearing the Enable NAT from DMZ interfaces to Internet interfaces checkbox under the Advanced tab, which enables routing to the DMZ public addresses."
It should say explicitly that option is under the NAT section (the NAT section is not mentioned earlier in the section), and should also be changed from the Advanced tab to the Masquerading tab (it took me a while to find that).
So, that setting seems to be a general device wide configuration.
Question 1: is there a way to configure both a public IP DMZ, and a private IP DMZ? Sometimes I need a machine to be all the way out there, and sometimes I don't. This primarily occurs when someone comes in with a specific VPN need that won't work through any NAT. Would like to just put them on their own public IP and let them do what they need to do. Is there another method to making a private LAN untrusted by default (and then needing rules for traffic flow)? Maybe use a Guest network and modify the packet filtering?
Question 2: Is it possible to set up a DMZ so that it could host devices with public IPs on either of my connections? For example, a machine might be accessible normally from Main connection, but if that goes down, it is tied into that connections IP. If I had it also answering to a second address on the backup connection then I would like to be able to reroute traffic over that instead. Just not quite sure how this would work-just create an Alias for that port using another public address? Seems like something else would be needed.
Question 3: How would I configure a connection to have some addresses split between both types of DMZs in from question 1? Would Aliases be sufficient there? That seems like it would work, but was hoping for some explicit confirmation before digging in so I don't spend a lot of time barking up the wrong tree.
KB62420 discusses the various options available when wanting to use a public block orf IP's.
You can configure both public and private by assigning aliases, disabling the masquerade option to enable routing, then configure a source NAT rule to 'masquerade' the private IP's if it is desired to have internet access available from these IP's. Otherwise you would port forward as per usual for incoming services.
Yes a guest network is basically going to block everything and then allow you to specify what is allowed.
Regarding getting your main IP address to work on either internet connection, it is a job for your upstream ISP/s. An alternative on the UTM device is to use the dynamic DNS feature. You can set it to use the IP address on the default gateway, so if the link fails, the other IP will be used. Then if incoming services use DNS to locate your server, you will have achieved redundancy.
Splitting IP ranges will involve subnetiing, with the downside being you will loose some available IP's. An alternative is to bridge two DMZ's, but this may be more complex than it is worth.
Hope this helps.
'masquerading vs. advanced tab' - yes that isn't quite right, ticketed.
1. is there a way to configure multiple styles of DMZ
yes. Disable the DMZ to internet checkbox under the Nat -> Masquerading tab.
Then create any Nat -> Source NAT rules you require on a per-source-address range basis.
If the network on your LAN/VPN side is simple, that may not be much. But if people are having
trouble 'seeing' the DMZ(s) - consider your routing set up and whether you have routes for
the network in question. if you don't, think about adding a source-NAT.
As per the help page on the Masquerading tab, the tick boxes are just handy 'catch-all' ways
of configuring source-NAT's.
1.a) is there a default-untrusted LAN such as a 'guest' that one can use for VPN terminations
There is a 'Guest' firewall class - or you can use the Internet firewall class as well of course - and
then override with firewall rules as desired. Currently we don't let you map your VPN endpoints to
an arbitrary firewall class though. we figured it would be too confusing and cause more trouble than
it was worth. The long term plan is to allow it, after we have improved the definitions framework a bit
more so that these can be talked about in more convenient abstract terms when needed.
So for now you'll need to disable the other masquerading check-boxes (notice the 'LAN/VPN' references
there, and put in your own masquerading rules. Which is a bit of a pain to do as you have to account
for all the source addresses. Can be done if you manage some address groups carefully for NAT purposes
such that when you generate new interfaces you never forget to update those NAT-addr groups,
but therein lies the rub - not forgetting that is tough.
2.) multiple public DMZ IP-addrs with/for failover
Depends on what sort of address ranges you have. But yes, an alias is one option.
Means you'd have to configure your server with 2 IPs of course.
Or you could 1-1-NAT from one public to your 'main' public.
With appropriate firewall rules depending on what you do. with the 1-1-NAT that is
3) splitting addresses between both types of DMZ from question 1
I don't understand the question sorry. the private/public DMZ's was talking about
RFC-1918 vs. normal IP address ranges. when you talk about splitting addresses though
it seems to be more in the sense of higher/lower protection (firewall rules etc.). Could you
provide some more context about what you want to achieve?
Re: 1a- I should have clarified-the need is for people who come into our office and need to connect to an external VPN. We've never been successful having them on anything but an unfiltered connection (and their IT staff won't give us any info, having them just use their 3G modems [which get relatively poor performance here]), so I just need to give them a few addresses to work with.
Right now I just need to get the public addresses working- I have a port forwarding packet filtering rule set up to allow everything from the DMZ port to go out over the Internet ports, and everything from the Internet ports to come in to the DMZ port (this sufficient for now, I will pare it back later).
I have one server (running its own software firewall which is sufficient for the moment) that is able to be reached from both the LAN and outside the network. It is providing web and streaming services. People can access the web interface for the FTP server (so really just http transfers) and that works fine. But the streaming isn't working. But the big note is that I can't initiate any traffic from the server itself- no web browsing, no pinging anything beyond the router interface (it can be pinged from the internet though), nothing. This is causing some issues, and likely is part of the problem with the streaming.
The first two rules:
|Descriptive Name||Action||Type||Incoming Interface||Outgoing Interface||Source Address||Destination Address||Services|
|net server outgoing||Accept||Forward||Any DMZ interface||Any Internet interface||Any||Any||Any|
|Allow from Internet to DMZ||Accept||Forward||Any Internet interface||Any DMZ interface||Any||Any||Any|
[it'd be grand if there was a set of buttons in here for a few of those table type things to make it easier to pass that info on, maybe just rules and routes]
Do I need to have some other thing going on- do I need a route to say traffic from the public block (routed through the main IP assigned to Port B) is in place? If so what would that look like?
2. Yes, the server would have two IPs. The wiring in this building (and this city) is notoriously bad, and you have absolutely no idea when a line will go down. For some services it doesn't matter, but for a few its nice to have a backup route (i.e. ftp.server.com and ftp2.server.com) so staff can still get some work done with just a few changes. But I'll get into that shortly (along with question 3) once I get the above straightened out. I've been working with support, but I think we may have reached an impasse.Message was edited by: Mike on 1/7/10 8:58:22 PM CST
Does that mean you have allocated the UTM WAN port the additional IP's as alias's ?
If so, you only need to port forward incoming services.
I suspect the 'outgoing port forward' you created is the casue of your issue.
Firewall -> NAT -> Masquerading -> Enable NAT from DMZ interfaces to Internet interfaces checked
you should have access to the internet from the DMZ hosts by default without any additional configuration.
No- the main WAN IP is on a separate subnet from the public IP's we have to use. So I've assigned one port to one of those IPs:
|Port B||Port A4||Port A3||Port A2||Port A1|
|Function||Main WAN IP||DSL backup connection||Public IPs for the Main WAN connection||(not active)||LAN|
So the server is hanging off Port A3, at IP 220.127.116.11 (we go up to .158). I can reach 18.104.22.168 from everywhere. But 22.214.171.124 (or any other IP hanging off that port) cannot get traffic out past port A3.
I have the packet filter rules above, but no port forwards. Corrected the above post (it has been a long day).Message was edited by: Mike after fixing above post. on 1/7/10 8:59:11 PM CST
When you say trafffic, I assume we can mean a simple ping test ?
This should work without additional configuration, and the fact that it does not means we really need to have a close look at the support report.
Can you open a support ticket ?
This way we can get the right data and resolve the issue in a timely manner.
Okay- so we got some of this taken care of (the DNS routing was the issue- once that was cleared up it was resolved).
On to the next portion:
So I have a range of public IP addresses, and I want some to be NATed and some to have the machines use the public IPs.
I would like Port B is the standard (main) connection, and port A3 currently hosts all of the IPs as a non-NATd DMZ. I would like to have a few addresses from the range on Port A3 moved to Port A2 and have some machines NATd there (and on a different subnet from my LAN).
I guess I need to subnet my addresses on both ports- do I just do that by changing the mask on port A3? and then create a new network configuration for port A2 using one of the now excluded addresses with another mask? i.e.
Port A3 currently has IP address 126.96.36.199/27 with no gateway. If I set it to 188.8.131.52/28, then I reduce the addresses available to the range .129-143 (from .129-158). Then I have the addresses 144-159 available (well 144 and 159 are spoken for). So do I just assign 145-148 (I only need a few right now) set as aliases on Port B, with port forwarding rules set up to direct any traffic to the 192.168.49.x address of the server it should be directed to?
What you suugest is the way to go, although if you are already routing ( rather than NATing ) your existing DMZ, you have no doubt disabled the DMZ to Internet Masquerading.
if so, it will be easier to setup the 2nd DMZ the same...routed.