NAT/FW on specific interfaces

Support section for FREESCO v0.4.x

NAT/FW on specific interfaces

Postby ckz » Fri Sep 16, 2011 8:02 am

Hi,

How can I configure FreeSco that way only one interface is NAT/Firewalling and the others are not?

I'm trying to connect two routers with each three interfaces. One is to the internet (semi).
I cant ping hosts on the other network. Only when disabling NAT/FW it is working.
But the problem I'm running against when not using NAT is port tcp/25 for mail testing. It's not accessable from outside my testlab.

Someone any suggestions?


TIA
ckz
Newbie
 
Posts: 5
Joined: Fri Sep 16, 2011 6:44 am

Re: NAT/FW on specific interfaces

Postby Lightning » Sat Sep 17, 2011 12:51 am

How can I configure FreeSco that way only one interface is NAT/Firewalling and the others are not?
It can only be done configuring two interfaces in the system and then manually configuring the third. Which is probably not something an average user can do. I could go through the steps but would need a LOT more detail on what you are trying to actually do and why because there are not really very many good reasons over just installing four network cards in the first router.
Which a "test" lab would not be a good enough reason for me.

P.S. FREESCO can be spelled "FREESCO", "Freesco", or even "freesco" but there is never any emphasis on "Sco" because FREESCO is a Linux based OS.
If you are afraid that you might make a mistake. The chances are high that you will never learn anything.
User avatar
Lightning
FREESCO GOD !!
 
Posts: 12080
Joined: Wed Nov 14, 2001 6:50 am
Location: Oregon, USA

Re: NAT/FW on specific interfaces

Postby ckz » Mon Sep 19, 2011 3:18 am

I'll explain in more detail.

In my testlab I have three sites. Site A; B and C.

Each site is having a Router with 3 interfaces, except Site A, this one is having 4 interfaces.

Site A | eth0 address is from DHCP ( reservation created on MAC address; connected to local network. Need NAT/FW here enabled for mailflow.
Site A | eth1 network 10.10.0.1, subnet 255.255.255.0 -> connection to router Site B ( 10.10.0.2/24 )
Site A | eth2 network 10.10.1.1, subnet 255.255.255.0 -> connection to router Site C ( 10.10.1.2/24 )
Site A | eth3 network 192.168.1.1, subnet 255.255.255.0 -> populated with servers/workstation ( AD Site A )

Site B | eth0 network 10.10.0.2, subnet 255.255.255.0 -> connection to router Site A ( 10.10.0.1/24 )
Site B | eth1 network 10.10.2.1, subnet 255.255.255.0 -> connection to router Site C ( 10.10.2.2/24 )
Site B | eth2 network 192.168.2.1, subnet 255.255.255.0 -> populated with servers/workstation ( AD Site B )

Site C | eth0 network 10.10.1.2, subnet 255.255.255.0 -> connection to router Site A ( 10.10.1.1/24 )
Site C | eth1 network 10.10.2.2, subnet 255.255.255.0 -> connection to router Site B ( 10.10.2.1/24 )
Site C | eth2 network 192.168.3.1, subnet 255.255.255.0 -> populated with servers/workstation ( AD Site C )

When all routers are created, I can't ping from one site to another. All systems in Site A can reach the internet over SiteA/eth0. When creating a portforwarding
the email flow is working. The mx records on the outside are delivering the mail to the testlab.

But I'm not able to manage the data be routed over the other connections. I tried various statis router paths. Off course I created the opposite router with
the mirror path. When bring down the NAT/fw all is working, but the mailflow stops. For security reasons I can't change anything in the actual domain.
That is why I need this NAT rule to address the tcp/25 from the DHCP address of the router to the mailserver in my testlab.

If there are better ways to use the routing table, please let me know!!!

TIA





For this one I need to have NAT/FW enabled. Because in the test lab I'm running a domain incl. mailservers.
ckz
Newbie
 
Posts: 5
Joined: Fri Sep 16, 2011 6:44 am

Re: NAT/FW on specific interfaces

Postby Lightning » Mon Sep 19, 2011 8:50 am

For what you are asking NAT is never going to work for more than one mail server regardless of where it is located. However with port forwarding you can get one mail server working and without NAT the entire system you have will not work without a bunch of static IP's issued by the ISP and routed through router A.
If you are afraid that you might make a mistake. The chances are high that you will never learn anything.
User avatar
Lightning
FREESCO GOD !!
 
Posts: 12080
Joined: Wed Nov 14, 2001 6:50 am
Location: Oregon, USA

Re: NAT/FW on specific interfaces

Postby ckz » Tue Sep 20, 2011 4:50 am

In my case this NAT rule is sufficient. Due to security boundries all mail flow needs to be sanitized first.
Because of this there is a extra hop between my testlab and the outside world.

With my "little" router knowledge adding routes should do the trick?

SiteA to SiteB
"route add -net 192.168.2.0 gw 10.10.0.2 netmask 255.255.255.0"

SiteB to SiteA
"route add -net 192.168.1.0 gw 10.10.0.1 netmask 255.255.255.0"

But still I can't connect to servers from one site to another?

TIA
ckz
Newbie
 
Posts: 5
Joined: Fri Sep 16, 2011 6:44 am

Re: NAT/FW on specific interfaces

Postby Lightning » Wed Sep 21, 2011 12:11 am

The "route" is only half of the battle here. You also need firewall forwarding rules as well to get things to work between internal routers.

Unfortunately I still do not understand what it is you are doing and more importantly even why you would need or want to design a network or networks in this manor. Multiple inline routers are always going to be problematic and that is one of the reasons FREESCO supports up to nine internal networks in one machine. Regardless of that I don't understand enough about what you are doing to even guess at what kind of rules might be needed. Also it has in almost every case when dealing with a "test lab" there is failure due to inaccurate testing or configurations.
If you are afraid that you might make a mistake. The chances are high that you will never learn anything.
User avatar
Lightning
FREESCO GOD !!
 
Posts: 12080
Joined: Wed Nov 14, 2001 6:50 am
Location: Oregon, USA

Re: NAT/FW on specific interfaces

Postby ckz » Wed Sep 21, 2011 5:15 am

Hi,

The routers and the Sites represents actual Sites throughout Europe. They are connected to each other via MPLS.

For Exchange 2010 I need to test some redundancy scenarios. To test the scenarios I really need to disable connections from A to B, but not from B to C and A to C.
If I use one router ( already configured it and it works ) I can't just disconnect one site, because I dont have the alternative route. That is why I created a TestLab
with several routers in it.

Can I add fw/nat rules for a bunch of ports in one time and also counts for all systems to all systems?

TIA
ckz
Newbie
 
Posts: 5
Joined: Fri Sep 16, 2011 6:44 am

Re: NAT/FW on specific interfaces

Postby Lightning » Wed Sep 21, 2011 8:00 pm

Can I add fw/nat rules for a bunch of ports in one time and also counts for all systems to all systems?
Yes and I don't understand.

It is easy to add forwarding or NAT rules for lots of specific ports. In FREESCO the location to add firewall or forwarding rules is in the /rc/rc_user file in the "$fire)" section of the script.

As for "counts" I don't know what you are referring to?
But if you mean accounting forwarding or firewall rules, the answer is yes.
If you are afraid that you might make a mistake. The chances are high that you will never learn anything.
User avatar
Lightning
FREESCO GOD !!
 
Posts: 12080
Joined: Wed Nov 14, 2001 6:50 am
Location: Oregon, USA


Return to FREESCO Support for v0.4.x

Who is online

Users browsing this forum: No registered users and 8 guests

cron