This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DMZ on 2nd WAN uplink?

I've tried to diagram this as best I can using ASCII...ugh...Ive tried a bunch of stuff and searched through the

documentation but I don't do this stuff every day so I'm hoping someone could give me a high-level what components all need

to be configured to make this work...

    +---------+     +---------+
    |216.2.x.x|     |216.1.x.x|
    +----+----+     +----+----+
           |                     |
     +---+---+-------+---+---+
     | WAN 1 |******x| WAN 2 +---------+
     +---+---+-------+---+---+             |
           |                    |                      |
     +---+---+       +---+---+          +-------+
     |  LAN  =- - - -=  DMZ  |           |  DMZ2 |
     +---+---+       +---+---+          +---+---+
           |                    |                      |
     +=======+        /==+==\          /==+==\
     = router   =         = FTP =           = WEB =
     +==+=+==+        \=====/          \=====/
     |    |   |   |
     A    B  C   D

A-D = PC's, etc.

To explain...

I have two WAN connections (two separate public IP's).  I am currently using one for my normal network, and it works great!  Now I want to throw in an FTP server in a DMZ.  But I want it to use a different uplink than my LAN's uplink (point here is so traffic doing FTP won't affect my normal network, and vice-versa)

So...I have an interface created for WAN 2 and an interface called DMZ, but that's as far as I can get it working...or rather, not working haha!

I want to start by allowing SSH from my internal network (LAN) to go to my FTP server, so naturally I created the packet filters to allow it, tried it, scratched my head and

did some digging and realized I needed to configure more, so I went and added DNAT, took away DNAT, added masquerading, added DNAT, took away, etc. etc. I'm just blindly trying one thing after the next...Who knows what the odds of getting it right are (I think I might buy a lottery ticket instead!).  So I'm wondering if there is a guide that explains how to setup a second interface as a DMZ uplink...Anyone?

By the way I had this PERFECT in a notepad file, copied and pasted it here and lost a bunch of the spacing and stuff...oh well, I tried to tidy it up a bit...Lemme know if it's waaaay unclear or whatever...I could do a visio and slap it up instead I suppose if that helps...?

This thread was automatically locked due to age.

0 atarso over 16 years ago in reply to BAlfson

That's what I don't understand...I've specified the nat'd host but it doesn't go there. I think I need to look at what I've defined as the routes and gateway and such...Perhaps I need to do full NAT to maintain the destination address...? I'll post the final solution whenever I get to figuring it out! ;o)
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 16 years ago in reply to atarso

I had a bit of difficulty following Post #9, but I think your problem is the route you create in step 3 of that post.  Since the Astaro is a stateful firewall, you don't need to allow traffic in both directions.  If you allow SSH traffic to the DMZ from your Internal network, the Astaro will get the response back to you.  That would make step 2 unnecessary.

I think that step 4 may be unnecessary, too.  The DNAT that brings requests to the FTP server will, in effect, allow the return traffic.  You only need masquerading if you intend to initiate Internet downloads into the FTP server from the FTP server.

Step 5 actually has multiple DNATs.  The one that lets your home IP access with SSH won't allow traffic from 'Internal (Network)' into the DMZ.  For that, you will need a SNAT that replaces the source 'Internal (Network)' with 'DMZ (Address)'.  Or, create a policy route.  The disadvantage of the first solution is that the server in the DMZ always sees packets coming from one address.

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel