EasyManua.ls Logo

D-Link NetDefendOS

D-Link NetDefendOS
912 pages
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Loading...
address and in accordance with rule 2 to change the source address:
10.0.0.1:32789 => 10.0.0.2:80
3. The server at wwwsrv_ip processes the traffic and replies:
10.0.0.2:80 => 10.0.0.1:32789
4. The reply is processed by NetDefendOS so that the translation rules are applied in the
reverse order and it arrives at the client with the expected source address:
203.0.113.10:80 => 10.0.0.3:1038
In this way, the reply arrives at the client from the expected address. This is referred to in this
document as SAT with NAT and means that there are two IP address translations being applied.
The NAT rule changes the source address and the SAT rule changes the destination IP address.
The returning traffic then goes through the same translations but in the reverse.
Note: Another solution is direct client/server communication
Another possible solution to the problem is for the internal client to communicate
directly to the web server since they are on the same network. This could be a better
solution since it avoids traversing the firewall. However, this would require an internal
DNS server so that the client could discover the private address of the web server.
Rule Ordering is Important
Reversing the order of the NAT and Allow rules as shown below would not provide the expected
behavior.
# Action Src Iface Src Net Dest Iface Dest Net Service SAT Action
1 SAT any all-nets core wan_ip http-all Destination IP: wwwsrv_ip Port: 80
2 Allow any all-nets core wan_ip http-all
3 NAT lan lan_net core wan_ip http-all
In this case, the Allow rule would trigger before the NAT rule and the problem for clients on the
same network as the server will remain. The NAT rule must trigger first so this ordering would be
incorrect.
Adding Public Internet Access
Another NAT rule could also be added which allows internal clients access to also the public
Internet. This is rule 3 in the table below:
# Action Src Iface Src Net Dest Iface Dest Net Service SAT Action
1 SAT any all-nets core wan_ip http-all Destination IP: wwwsrv_ip
2 NAT lan lan_net core wan_ip http-all
3 Allow any all-nets core wan_ip http-all
4 NAT lan lan-net any all-nets http-all
To summarize these IP rules:
SAT rule 1 performs translation of HTTP traffic arriving at the IPv4 address wan_ip to the
Chapter 7: Address Translation
605

Table of Contents

Related product manuals