This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Need help witch astaro to share my internet connec

I'm new at using Astaro. I'm also pretty new at all of this.
With saying that I hope someone out there can help me.

I have a box witch has 3 NIC's. I want to test how good this firewall solution really is. I have a "/26" net.
After what I have understood by reading her, I can't get the Astaro to work as a bridging firewall.
That means that I cant make the firewall act as a switch. My first question is; "Is this is right"

I have tried to SNAT/DNAT (what is the different between these two?) ip's with little success.

Currently my network is connected right into a switch, but this offers little security.
Can enyone help me with the rules I need to make using SNAT/NAT/route to give my home computers
access to the Inetnett WITH different ip's on the Inetnett?

--------------------------------------------------------------------------------------------

(Internet) ----( fw )----( switch )
                          |  |  | |--(PC_01)
                          |  |  |----(PC_02)
                          |  |-------(PC_03)
                          |----------(PC_04)

NIC_exsternal = xxx.xxx.xxx.199 netmask: 255.255.255.192 gateway: xxx.xxx.xxx.193
NIC_internal  = 10.0.0.1        netmask: 255.255.255.0   gateway: "none"

PC_01 = inet: 10.0.0.31         netmask: 255.255.255.0   gateway: 10.0.0.1
PC_02 = inet: 10.0.0.32         netmask: 255.255.255.0   gateway: 10.0.0.1
PC_03 = inet: 10.0.0.33         netmask: 255.255.255.0   gateway: 10.0.0.1
PC_04 = inet: 10.0.0.34         netmask: 255.255.255.0   gateway: 10.0.0.1

--------------------------------------------------------------------------------------------

These are the rule that I have made: (please tell me what I have done right/wrong)

+--------------------------------------------------------+
|Definitions/Nettwork                                    |
+--------------------------------------------------------+
|Name: IP address: Subnet mask:             |
|LAN_PC01 10.0.0.31 255.255.255.255          |
|LAN_PC02 10.0.0.32 255.255.255.255          |
|LAN_PC03 10.0.0.33 255.255.255.255          |
|LAN_PC04       10.0.0.34       255.255.255.255          |
+---------------------------------------------------------

+-----------------------------------------------------------------------------+
|Network/Interfaces                                                           |
+-----------------------------------------------------------------------------+
|                                                                             |
|Name: IP address: Subnet mask: Gateway:      |
|DMZ (Stand..) on eth1 10.0.1.0 255.255.255.0   none          |
|LAN (Stand..) on eth2 10.0.0.1 255.255.255.0 none          |
|WAN (Stand..) on eth0 x.x.x.199 255.255.255.192 x.x.x..193    |
|                                                                             |
|WAN_PC01 (Additional..)on eth0 x.x.x.231 255.255.255.192 x.x.x.193     |
|WAN_PC02 (Additional..)on eth0 x.x.x.232 255.255.255.192 x.x.x.193     |
|WAN_PC03 (Additional..)on eth0 x.x.x.233 255.255.255.192 x.x.x.193     |
|WAN_PC04 (Additional..)on eth0 x.x.x.234 255.255.255.192 x.x.x.193     |
+-----------------------------------------------------------------------------+

+-------------------------------------------------------------+
|Network/"NAT/Masquerading": NAT Rules                        |
+-------------------------------------------------------------+
|Name   Match parameters   SRC translation   DST translation  |
|LAN til WAN   LAN_PC01 -> Any / Any   WAN_PC01   None        |
|WAN til LAN   Any -> WAN_PC01 / Any   None   LAN_PC01        |
|(and so on .. I'm lazy ..)                                   |
+ ------------------------------------------------------------+

+---------------------------------------------------------------------+
|Packet Filter:                                                       |
+---------------------------------------------------------------------+
|Any Any Any Allow                                                    |
|(just so that I could get things working. I will redefine this when  |
| I get the network sharing to work ;D)                               |
+---------------------------------------------------------------------+

Network/Routing = "nothing"

This was written in notpad .. Look her to see how it was supposed to look; http://194.19.69.167/~lodgin/help.html

I hope someone can help me

This thread was automatically locked due to age.

Parents

0 Simon Shaw over 22 years ago

Suggest you use MASQ

Masq internal LAN to external interface.
(This will give your LAN internet access)

To access these boxes from outside the firewall you will need to create DNAT/SNAT rules for each box and service you want to use. ie if PC1 is a FTP server create a SNAT/DNAT rule for its public IP to forward to the private IP of PC1 for FTP Services.

If you want all your LAN PC's to have all services open on their public IP's theres not much point in running a firewall.

Suggest strongly you just setup SNAT/DNAT for specific tasks.

Hope this helps somewhat.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Simon Shaw over 22 years ago

Suggest you use MASQ

Masq internal LAN to external interface.
(This will give your LAN internet access)

To access these boxes from outside the firewall you will need to create DNAT/SNAT rules for each box and service you want to use. ie if PC1 is a FTP server create a SNAT/DNAT rule for its public IP to forward to the private IP of PC1 for FTP Services.

If you want all your LAN PC's to have all services open on their public IP's theres not much point in running a firewall.

Suggest strongly you just setup SNAT/DNAT for specific tasks.

Hope this helps somewhat.
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Hareide over 22 years ago in reply to Simon Shaw

Oh, nice. Didn't take long for someone to reply.. Tanks Simon Shaw!

Maybe I wrote this a little unclearly because you don’t see to understand what I want to use the firewall for.
I don't want every service to be open. I'm going to change the packet-rules when I get things working.
I also want to take a look at the graphical overview of the bandwidth usage. That's quite a neat function. Also the SNMP virus detection looks like a genius detail.

Also my home network needs to have separate PUBLIC ip addresses.

However you see this you have to agree that everything is better then to plug everything into a stupid 2 layered switch (in other words; “no management or control in any way”)
Cancel
Vote Up 0 Vote Down

Cancel
0 KKnecht over 22 years ago in reply to Hareide

For the first step:
If you only want to reach internet connection go to
\Network\NAT

and set a rule like this:

Name: masq_internet
Rule_type: Masquerading
NetworK: Your_Intranet
Interface: Internet_Interface

Did you also had a look at this ?

Regards,
Karsten
Cancel
Vote Up 0 Vote Down

Cancel
0 Simon Shaw over 22 years ago in reply to KKnecht

Do you have a number of public IP's you can give the boxes ?
Cancel
Vote Up 0 Vote Down

Cancel
0 Hareide over 22 years ago in reply to Simon Shaw
Oh. I mentioned it above. I see now that someone easily can misinterpret what I wrote.

I have a "/26" net. My PUBLIC ip addresses are x.x.x.194 to x.x.x.255 (193 = gw).

What I tried to do was to set every ip address to the external network card of the firewall. Then I was supposed to forward/NAT/route everything that comes, to for example WAN_PC01, to the local machine (PC01) . Please look at this link if you found my first post difficult to read; http://194.19.69.167/~lodgin/help.html
The forum didn't let me use the "
" tag ;(

Therefore I don't want to use the "MASQ" solution, where you hide every machine, or node, behind one single address. I have the public addresses, and as you can se;

+-----------------------------------------------------------------
| Network/Interfaces
+-----------------------------------------------------------------
|
| Name:________________ IP address: Subnet mask: Gateway:
| DMZ (Stand..) on eth1 10.0.1.0 255.255.255.0 none
| LAN (Stand..) on eth2 10.0.0.1 255.255.255.0 none
| WAN (Stand..) on eth0 x.x.x.199 255.255.255.192 x.x.x..193
|
| WAN_PC01 (Additional..)on eth0 x.x.x.231 255.255.255.192 x.x.x.193
| WAN_PC02 (Additional..)on eth0 x.x.x.232 255.255.255.192 x.x.x.193
| WAN_PC03 (Additional..)on eth0 x.x.x.233 255.255.255.192 x.x.x.193
| WAN_PC04 (Additional..)on eth0 x.x.x.234 255.255.255.192 x.x.x.193
+------------------------------------------------------------------
Cancel
Vote Up 0 Vote Down

Cancel
0 Simon Shaw over 22 years ago in reply to Hareide

I'd put all your "public" boxes on one interface.

Assign your public IP's to the external (Red) interface of the firewall. (Additional address on ethernet..)

Then use SNAT/DNAT rules and packet filters to access the the boxes.
More secure.
Cancel
Vote Up 0 Vote Down

Cancel
0 Hareide over 22 years ago in reply to Simon Shaw

Yeah. I have been trying to get "you" guys to understand just what you now said mr. Shaw. The problem is that I cant get it to work. I have given the exsternal interface "all" my PUBLIC ip addresses and a packet rule "Any Any Any Allow" (just until I get this working). The problem is that I can't get this to work.

I wonder what I am doing wrong, and that was my question from the start. Can anyone see what I am doing wrong? This is how I think the rule would look like. If I understand right I have to make 2 rules like this for every machine I have on the internal interface (LAN), but what is wrong!?!

Network/"NAT/Masquerading": NAT Rules

Name Match parameters SRC translation DST translation
LAN_PC01 to WAN_PC01 | LAN_PC01 -> Any / Any WAN_PC01 None
WAN_PC01 to LAN_PC01 | Any -> WAN_PC01 / Any None LAN_PC01
Cancel
Vote Up 0 Vote Down

Cancel
0 Simon Shaw over 22 years ago in reply to Hareide

Sorry, we're a little slow.

OK, you've assigned your public IP's to the external interface.
(One of which is your "real" IP I guess).

Say your internal LAN is 192.168.0.0/24
You should have a group set called MyGreenNet or whatever which defines the above range.

Set one rule as:
OutBound MyGreenNet All / All

Next create SNAT/DNAT rules for each machine you want to access from remote.

AccessPC1 Any->PC1_Real_IP / Any

You might also need to create this packet rule.
From Any Service Any PC1_Real_IP Allow

Sometimes Any Any Any doesn't behave as expected.
(Packets from external to the Red interface are blocked by Any Any Any rule for instance.)

I have never tried allowing All services through to a box via SNAT/DNAT, guess it would work.

Unsure also about the fact your real IP is the same as the other IP's you've been given... Should work though, just have a bad feeling about it [:)]
Cancel
Vote Up 0 Vote Down

Cancel
0 Hareide over 22 years ago in reply to Simon Shaw

Oh my GOD! Well.. Now I'm pretty angry. I finally found out why I didn't get this whole mess to function. There was a problem some where with the external (WAN) interface, the cables between, and the switch it was connected to. The "link" diode indicated that there was "link", but the fact was that it wasn't. There was no traffic between the external NIC and the switch.

--(Switch)-(long, buggy cable)--(fw)---(switch with my LAN)

The weird thing was that it function when I used two switches.

--(Switch)-(long, buggy cable)--(switch)--(fw)--(test-hub with my LAN)

The thing that really trough me of track was the fact that I could use my personal computer, and plug the "loong cable" directly into my machine with success.

--(Switch)-(loong, byggy cable)--(my machine)

My conclusion was that there where a problem with the cheap [censored] of a NIC that represented the external (WAN) NIC. The whole thing started to function when I changed the placement of the firewall.

--(Switch)-(short cable)-(fw)---(long, buggy cable)---(switch with my LAN)

What else can I say; "Realtec is a piece of [censored] and I LOVE 3com ;D"

Detailed information:
WAN= Realtec 8139C
LAN= 3Com 3c905C-TX

This is what I want to believe, but I can’t really say because I have never seen a similar problem. Therefore I would love to get another explanation ..

Thanks for the support Simon Shaw!
Cancel
Vote Up 0 Vote Down

Cancel
0 Simon Shaw over 22 years ago in reply to Hareide

Heh, I don't like 3Bomb or Realtek.

I usually stick with Intel NICs. Compex ENET100TX cards seem very good too.

Glad you got it sorted out anyway [:)]
Cancel
Vote Up 0 Vote Down

Cancel