EasyManua.ls Logo

D-Link NetDefendOS

D-Link NetDefendOS
912 pages
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Loading...
lan_ip (10.0.0.1): the local network's private IPv4 address
wwwsrv_ip (10.0.0.2): the web server's private IPv4 address
client_ip (10.0.0.3): the local client's private IPv4 address
The Problem
If a SAT rule is created as before with an Allow rule, the rule set would be as follows:
# Action Src Iface Src Net Dest Iface Dest Net Service SAT Action
1 SAT any all-nets core wan_ip http-all Destination IP: wwwsrv_ip Port: 80
2 Allow any all-nets core wan_ip http-all
However, this will not work for clients on the same network as the web server. The reason is that
when such a client receives the reply, the source address will not match the IP address to which
the request was sent. This results in the client ignoring the reply. This is because of the following
sequence of events:
1. The local client performs a public DNS lookup for the web server IP and then sends an HTTP
request to wan_ip to reach the web server.
10.0.0.3:1038 => 203.0.113.10:80
2. NetDefendOS translates the address in accordance with SAT rule 1 and forwards the packet
in accordance with Allow rule 2:
10.0.0.3:1038 => 10.0.0.2:80
3. The server at wwwsrv_ip processes the packet and replies:
10.0.0.2:80 => 10.0.0.3:1038
The reply will be sent directly to the client across the local network, bypassing the firewall.
4. The client expects a reply from 203.0.113.10:80 and not 10.0.0.2:80. so the response is
discarded and the client continues to wait for a response from 203.0.113.10:80, which will
never arrive.
The Solution is Using SAT with NAT
In order that the reply from the web server has the expected source IP address when it arrives at
the client, a NAT rule has to be added as shown below:
# Action Src Iface Src Net Dest Iface Dest Net Service SAT Action
1 SAT any all-nets core wan_ip http-all Destination IP: wwwsrv_ip
2 NAT lan lan_net core wan_ip http-all
3 Allow any all-nets core wan_ip http-all
The order of events now becomes:
1. The client sends traffic to wan_ip in order to reach the webserver:
10.0.0.3:1038 => 203.0.113.10:80
2. NetDefendOS translates the connection in accordance with rule 1 to change the destination
Chapter 7: Address Translation
604

Table of Contents

Related product manuals