This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DNAT/Routing and Virtual Interfaces...

I have tried several times to make virtual interfaces work, I have DSL with 5 static addresses "/29" and I have tried setting the real interface to 255.255.255.255 and .248, no matter what, I cannot get two addresses to forward to different web servers inside the network. When both the virtual and the real interface are set to 255.255.255.255 then the virtual works correctly but the real does not. If the real is set to .248 and the virtual is .255 then the real works and the virtual does not.

The other side of this is the default route, I have tried setting each interface to the correct gateway address and only the virtual works. I have tried setting the real interface to the gateway address and leaving the virtual set to none, the real works, the virtual works for the outside seqment but the public gets no reply from the virtual address, again local outside subnet works just fine for both real and virtual. So I'm very confused about how this is supposed to work.

Help...

This thread was automatically locked due to age.

Parents

0 PreyTell over 22 years ago

Are there at least white papers about how this is supposed to work? I have tried everything...Do I need to just load a different product? Is anyone else doing this successfully?
Cancel
Vote Up 0 Vote Down

Cancel
0 oliver.desch over 22 years ago in reply to PreyTell

PreyTell,

the real interface gets .248 as mask and the default gateway assigned.
Aliases get a 32 bitmask and the default gateway has to be 'none'.

read you
o|iver
Cancel
Vote Up 0 Vote Down

Cancel
0 PreyTell over 22 years ago in reply to oliver.desch

What rules should be set, right now I have MASQ for internal to external interface, DNAT for one web server on the firewalls external interface, and DNAT for another web server for the virtual interface. Allow rules for ANY -> Internal web server address for both servers and alllow internal -> all. The web server on the real ip address works fine. The Virtual interface does not respond to any request. However like I said any host on the untrusted (external) network can make a request and get a relay just fine. It's like a routing issue but I can't find it.

It acts as if there is no default route for the virtual interface to the public network. And If I add one it will work but the other web server will stop working. Ahhhh, I want to pull whats left of my hair out...

[:)]
Cancel
Vote Up 0 Vote Down

Cancel
0 PreyTell over 22 years ago in reply to PreyTell

I just ran some more test. While watching the access logs on the failing server I notice that if I use a client that is on the external subnet the access is logged and everything works just fine. If I go to an outside source and connect to the ip address of the virtual interface there is no access logged. So the firewall never even forwards the packet.

Why would the firewall treat the outside subnet and the public net differently?

I'll give you an example with addresses..

Outside subnet: 128.63.37.112/29
Outside interface: 128.63.37.117/29
Virtual Interface: 128.63.37.116/32

Inside Network: 192.168.3.0/24
Inside interface: 192.168.3.254/24
Inside web machine 1: 192.168.3.98/24
Inside web machine 2: 192.168.3.99/24

MASQ: Internal Network to External address

DNAT Source: any
Dest: External Interface
Service: HTTP
Change Source to: ::No Change::
Change Dest to: {web server 1}
Service Destination: ::No Change::

DNAT Source: any
Dest: Virtual Address
Service: HTTP
Change Source to: ::No Change::
Change Dest to: {web server 2}
Service Destination: ::No Change::

Rules:

From: Any
Service: HTTP
To: {webserver 1}
Action: Allow

From: Any
Service: HTTP
To: {webserver 2}
Action: Allow

From: Internal_Network
Service: Any
To: Any
Action: Allow

---------------------

webserver 1 works fine...
webserver 2 - nada...

But from the outside subnet: 128.63.37.112/29 ( I used 128.63.37.115) both servers work fine....Just not from the public net....

Still searching....
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 PreyTell over 22 years ago in reply to PreyTell

I just ran some more test. While watching the access logs on the failing server I notice that if I use a client that is on the external subnet the access is logged and everything works just fine. If I go to an outside source and connect to the ip address of the virtual interface there is no access logged. So the firewall never even forwards the packet.

Why would the firewall treat the outside subnet and the public net differently?

I'll give you an example with addresses..

Outside subnet: 128.63.37.112/29
Outside interface: 128.63.37.117/29
Virtual Interface: 128.63.37.116/32

Inside Network: 192.168.3.0/24
Inside interface: 192.168.3.254/24
Inside web machine 1: 192.168.3.98/24
Inside web machine 2: 192.168.3.99/24

MASQ: Internal Network to External address

DNAT Source: any
Dest: External Interface
Service: HTTP
Change Source to: ::No Change::
Change Dest to: {web server 1}
Service Destination: ::No Change::

DNAT Source: any
Dest: Virtual Address
Service: HTTP
Change Source to: ::No Change::
Change Dest to: {web server 2}
Service Destination: ::No Change::

Rules:

From: Any
Service: HTTP
To: {webserver 1}
Action: Allow

From: Any
Service: HTTP
To: {webserver 2}
Action: Allow

From: Internal_Network
Service: Any
To: Any
Action: Allow

---------------------

webserver 1 works fine...
webserver 2 - nada...

But from the outside subnet: 128.63.37.112/29 ( I used 128.63.37.115) both servers work fine....Just not from the public net....

Still searching....
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 oliver.desch over 22 years ago in reply to PreyTell

assuming cabling and routing settings are O.K . and there are no entries in the packet filter
livelog, hhmmm I would check the ARP table of the default gateway maybe the MAC address of
server2 is still in its ARP cache.

read you
o|iver
Cancel
Vote Up 0 Vote Down

Cancel