I had a task - to publish a service on an ip-address that is not tied to a wan interface on a D-Link DFL router. But I did not find an instruction on the Internet that would solve this problem, so I wrote my own.
Initial data (all addresses are taken as an example)
Web server in internal network with Ip: 192.168.0.2 (port 8080).
The pool of external white addresses allocated by the provider: , provider gateway: 5.255.255.1, the remaining "our" addresses 5.255.255.2-14.
Let the addresses 5.255.255.2-10 we use under NAT and other needs. Provider link connected to port wan1. To interface wan1 linked address 5.255.255.2.
Task: publish an internal web server on a public address 5.255.255.11, at the port 80.
Solution briefly
To publish a service on an ip that does not match the interface address, you will need:
- Tell the router that the published ip needs to be searched within itself, using .
- Publication so that the router tells its neighbors that the published address belongs to it.
- firewall rule (), which inside the router will change the destination address to the address of the destination server.
- Firewall rule (Allow), which will allow connection from the external interface to the published address inside the router
And now a little more about each item.
Prepare
I. First, let's create "Objects" for all our needs (now I will show the process for the web interface, I think those who work with the console will be able to transfer the actions to console commands).
1. Add two ipv4 addresses to the address book:
web-server = 192.168.0.2
public webserver = 5.255.255.11
2. Then add ports to the list of services:
int_http = tcp: 8080
Port tcp: 80 already present in the list of services, called http, has a limitation in 2000 sessions, the limit can be adjusted.
ΠΎΠΉIt turned out that it was not necessary to add the server port on the internal network at all, but I leave it, because. an example may be needed for a public port, but they are added in the same way
II. Let's go straight to the solution.
Item 1 ΠΈ 2 can be combined, because when adding a static route, it is possible to immediately provide ARP. To be honest, I did not immediately see this opportunity and set up the publication manually, the router also has such functionality.
1. So, if you have not yet created heaps of routing tables and rules for them, then everything can be done in the main routing table, it is called main.
Table mainwill be the default path to the network 5.255.255.0/28 per interface wan1. And this route matches the metric specified in the interface settings (default 100).
To prevent the gateway from sending packets back to the interface wan1, you need to create a static route to the address public webserver to interface core with a metric less than 100 (smaller interface metric wan1) - then the gateway will look for it "inside itself".
2. In the same place, when creating a route, you can configure Proxy ARP so that the gateway responds to ARP requests. On the Proxy ARP tab, add the WAN interface.
create a route, but do not click OK, but go to the second Proxy ARP tab:
ARP, add an interface wan1:
3. Finally, let's move on to setting up NAT and firewall (this is already described in sufficient detail in ).
We create a SAT rule so that in a packet from the interface wan1 with destination address public webserver destination port http, to which we configured the route to the interface core, replace the destination address with the internal address of our server web-server and port on 8080.
4. And the next step is to allow such a packet - create an Allow rule with similar parameters (it is convenient to copy the SAT rule and replace the action with Allow).
noteIn this case, the rules should be in this order: first SAT, then Allow:
Remember that the SAT rule must be above the allow rule. This is due to the fact that the packet, getting into an allow or deny rule, does not go further along the Rules table.
In this case, the allow rule is also created for the public port and address:
note that the parameters of the protocol, interfaces and networks in the allow rule are the same as in the rule with the "SAT" action.
It seemed to me that the packet had already been processed by the SAT rule line before, and the destination address and port in it were new, but no, it seems that the replacement occurs sometime after all other rules have been worked out.
Π SAT functionality is deeply disclosed, it presents many interesting features. My goal was to reveal a question not covered in this manual and in other instructions. I hope the instructions will be useful and understandable.
Source: habr.com