1 of 1 people found this helpful
The document you refer to has all the info....maybe it could be better written
As it sounds like you have one block of IP's you have the first 3 options available.
I personally would go with option 1, but that is probably due to the fact that option 1 is the configuration most users have done before, and also provides the greatest flexability in future configuration options.
Many users also go with the 2nd and 3rd option.
If you can identify pieces of that article you would like clarification on, I am happy to do so.
I recently bought a new SG565 after my original one died and am in a similar situation as the original poster. Additionally I want to take this opportunity to possibly change my configuration to a better setup. I currently have my network setup with the default VLAN1 (192.168.0.0/24) which contains my local network and I have a second VLAN3 (192.168.1.0/24) which I want to use for my publicly accessible servers. I originally used to have my public servers accessible using DNAT but I have received advice that it is not optimal to use DNAT when it comes to setting up reverse DNS (local & public) which previously I had not done and I was advised I should instead setup this second VLAN as a DMZ and use my servers public IP's. The issue is that I wish to have a number of services on these servers accessible to local users as well as to public users on the internet such as mail, web, ftp etc while other services on the servers should only be accessible to local users eg directory services, print server, workgroup blogs, local DNS etc. I also need to manage the servers on VLAN3 from my local network on VLAN1 using Remote Desktop (VNC).
If the advice I have received is correct what would be the best choice to use given that I have a small block of 3 public IP's (currently one default IP that points to the SG565 and the other two setup on the SG565 as alias's pointing to my servers local IP's but I want to change these to point to the servers public IP's instead). If I need to add extra servers I can get additional public IP's and my ISP provides a web interface to setup public reverse DNS. The servers are MacMini's with single ethernet ports and I'll be running Snow Leopard Server. Basically what would be best choice, routing based, bridged or 1-1 NAT in this situation?
Finally given that I do receive an answer on the prefered method to use what steps do I need to take to move from DNAT to one of these other choices?
Thanks in advance
To route rather than NAT go to
firewall -> nat -> masquerading -> Enable NAT from DMZ interfaces to Internet interfaces
and disable this option.
Then, instead of creating port forward or NAT rules, simply create packet filters of type=FORWARD to allow incoming access to the server as desired.
Nothing more needs to be done so you can access the DMZ from the LAN or VPN connection...this is enabled by default.
Hope this helps.