Leaderboard
  Search
Saturday, February 04, 2012 ..:: Blogs ::.. Register  Login
anim24/7 Live Tech Support!
 Bloggers Minimize
  
 Categories Minimize
  
 Tag Cloud Minimize
  
 Who's in chat? Minimize
 Print   
 Who's Online? Minimize
Membership Membership:
Latest New User Latest: xiaophebe1
New Today New Today: 0
New Yesterday New Yesterday: 0
User Count Overall: 197
People Online People Online:
Visitors Visitors: 17
Members Members: 0
Total Total: 17
Online Now Online Now:
  
 Donate Minimize

As most of you know, all the expenses of running the group are paid for by donations. Please help keep the group running by donating whatever you can.

You can donate through PayPal by clicking the link below.

Donate through PayPal - it's fast, free and secure!
  
Make your iPod screen bigger with myvu!
Hot Product
 Featured Posts Minimize
  
 Blog Minimize

Building an Astaro personal firewall with spare or low end parts - Part 3

Posted by: Pete Stagman on 3/22/2009

 

 Follow Pete on Twitter! http://twitter.com/tyrstag

 

Double NAT

In most cases, your ISP gave you a MODEM or Router that sits between the Internet and your Home Network and chances are good that your MODEM/Router (I’m just going to call it a Modem from now on) is doing NAT. So you have a public IP Address on the outside of the Modem and a Private address on the inside. If you then add your Astaro Firewall into the mix with NAT enabled, you are adding a second level of NAT as the Astaro will take that Private IP Address and change it to a Different Private IP Address.

The best option in this environment is to call your ISP’s tech support and ask them if they can switch off NAT and set the Modem to Bridge Mode so that it will not try to give out Private IP addresses. Explain to them that you are trying to add a hardware firewall and this is the way it’s supposed to work. If they agree to do it, then your Astaro will end up with a Public IP Address on its External Interface and you won’t have to worry about Double NAT-ting at all.
If they refuse to change the settings, you can still get it to work, but you’ll have to do a bit more work.
 
Accessing the Internet in a Double NAT

In order for your PC to access the Internet, it has to be able to NAT in reverse, which means that the DHCP settings that the Router and the Astaro are giving out need to be correct. When you try to access the Internet, the gateway that the Astaro gives out along with the IP address should be the Internal IP Address of the Astaro, The External Address of the Astaro should be an address given to it by the Router with the Internal IP Address of the Router as its Gateway.

In order for your network to work in a Double NAT environment, you MUST follow these rules:
·         The IP Sub-Nets of the Modem-to-Astaro and the Astaro-to-PC MUST be different. I.e. Modem-to-Astaro 192.168.1.x, Astaro-to-PC 192.168.2.x (You don’t have to use these exact subnets, any Private Address ranges will work)
·         The External gateway on the Astaro must be set as the Internal Address of the Modem.
·         The gateway of the PC must be set to the Internal IP Address of the Astaro.
·         If you are going to remote access your Network, the External Address of the Astaro Must be Static and any machine you plan on accessing from the Internet must also be set static.
 
Accessing your network remotely from the Internet
Say that you wanted to be able to Remote Desktop to your PC from the Internet.

This is where it can get really confusing in a Double NAT network. First you will have to get into the Cable Modem and Port Forward the RDP Port(3389) to the External Address of the Astaro. To the Astaro? Yes, because then you have to get into the Astaro and Port Forward the RDP Port AGAIN to the destination PC. You can see how this is done in Part 2.

Adding a Wireless Router to the Network
You want to add wireless to your Network and you have a Wireless Router that you had kicking around. Well, Guess what? That Wireless Router is going to want to add another level of NAT to your Network!
Here, the best option is to not use a Wireless Router at all, if you don’t already have the Wireless, go buy a Wireless Access Point without any Routing. If you already have the Wireless Router, get into the management interface and see if there is a setting for “Access Point Only”. This is common in newer Wireless routers. If this is NOT an option, then you want to make sure that DHCP is NOT enabled in the Wireless Router. You DO NOT want the Wireless giving out its own addresses, you want it to get the addresses from the Astaro and pass those out.
The other thing you want to make sure of is that the Wireless is on the INSIDE Network, after the Astaro. Do not plug anything into the WAN Port on the Wireless, you want the Wireless to be an Access Point and NOT do any Routing.

 

 

 

Setting up a DMZ

First, What is a DMZ? A DeMilitarized Zone is a separate Network that is neither Inside or Outside your Network. How can it be neither? Easy, it’s a 3rd separate Network. This is why the Hardware Requirements for the Astaro includes 3 NICs.

So, why would you want a DMZ?
If you have a server that you want people to be able to access from the Internet, it is likely that at some point, that server will get hacked or “Owned” and may become a danger to your Internal Network. A DMZ gives you another layer of security from that “Owned” server and your Internal computers won’t be susceptible to easy attack from your OWN SERVER.
 
Setting up the DMZ on the Astaro
To enable a DMZ on the Astaro, first log in to the management interface. Navigate to Network, Interfaces.

Then select “New Interface . . .”
Give the new Interface a Name.
The Type: should be “Ethernet Standard”
Hardware is any NIC you have remaining on the drop down. If you had 3 NICs there will be only one available in the drop down. If you had more than 3 NICs, you may have more options in the drop down.
The Address: Needs to be a different address range from your Internal and External addresses. I chose 192.168.3.1
The Netmask: can be any Mask you like, depending on how many addresses you think you will need. I left it at 255.255.255.0
All the other settings you can leave at the defaults.

Click “Save” to save your new Interface.

Click the RED light to enable the Interface.
The Next step is enabling a MASQ for the interface. This allows the computers on the DMZ Network to access the Internet.
Navigate to Network Security, NAT then click on “New masquerading rule . . .”

 

 Here you tell the firewall what Network you are allowing Access to what Interface.

For Network: you want to choose the Network Interface you created in the previous step. Mine was called “DMZ”
The Interface: is the Name of the Interface that accesses the Internet. As you see here, Mine is “External (WAN)”
Click “Save”

 

 Click the RED Light to enable the MASQ.

 

 

Creating a Packet Filter Rule
That Interface now has a path to the Internet, but NO DATA is allowed to pass. So, now we have to go to Network Security, Packet Filter.
Click “New rule . . .” to create a new packet filter rule. Here we set what services the DMZ is allowed to access on the Internet. Let’s assume that you are going to install an e-mail server in the DMZ, an e-mail server will need to be able to access Email messaging services on the internet, so we’ll create a rule that allows those services. (Notice the Rule that I have that says Internal Network àANYàANY. That is a No No, you should never have a rule with more than ONE ANY in the definition, I’ll fix that. I’m not sure why it’s there.)
You can set Groups of rules that should stay together. We don’t have many rules, so it’s not really necessary.
Packet Filter Rules are tested in order from Top to Bottom. The Rule Position would be important if we had many rules, you may find if you are adding many servers and services that you have lots of rules. In that case, you want to move rules that will be run more often to the top of the list. Things like HTTP that are probably most of your internet traffic should be at the top so the firewall doesn’t have to go through the entire list of rules before it finds a match. Services that you use only occasionally should go to the bottom of the list.
The Source: will be the “DMZ (Network)” that we created earlier. This is where the traffic will come FROM. We are SENDING mail from here.
The Service: is the “Email Messaging” group of services. If you were to look in this group you would find SMTP, POP3, IMAP . . .
The Destination: in this case is ANY. That means ANY host on the Internet. If you are using your ISPs mail server or another service like Postini you could set a Host address instead ofANY.
The Action: is Allow. We are ALLOWING the traffic through. Other options are Deny and Drop. The difference between Deny and Drop is important. Deny sends a message back to the originating host saying that it was denied, Drop just breaks the connection without any message.
Click Save to save your new Packet Filter Rule.

Click the RED light to enable the rule.

Adding a Host Server to the DMZ
Now that we are allowing mail out of our network, we need to let it in. To do this we’ll have to create a Host Definition and NAT rule.
Navigate to Network Security, NAT. Then click the DNAT/SNAT tab.
Click “New NAT rule . . .”
Give your NAT rule a descriptive Name:
Group and Position: work the same way they do in Packet Filters. Move the more often used to the top of the list.
Our Traffic Source: is Any, so we can receive mail from anywhere on the Internet
Traffic Service: is our Email Messaging group again.
The Traffic Destination: is the Interface that has the Public IP Address of our mail server. In most cases it will just be the External (WAN).
The NAT Node: is DNAT (Destination)

Next we need to add the Destination Host
Click the GREEN Plus Sign next to the Destination box. This brings up the Add Network Definition box.
Give your Host a Name: I just called it “Mail Server”
The Type: will remain Host.
Enter the IP Address that you will give your mail server. I chose 192.168.3.2
Select the DMZ Interface:
Comment it optional.
Click Save to save the host you just created.

This will bring you back to the DNAT screen. Complete filling out the fields by clicking the “Automatic packet filter rule:” check box. This does what it says and creates a packet filter that will allow the traffic you defined in the NAT Rule.

Congratulations! You now have a working Email server in your DMZ that is separated from both your internal network and the Internet.

 

 

Accessing Servers that are in your DMZ from your Internal Network
Now that we have your Mail Server in the DMZ, it might be nice to actually be able to manage it. The easiest way to do it is with RDP (Remote Desktop Protocol). But, we have all traffic blocked between our Internal Network and the DMZ. So, we need to create a packet filter rule that will allow RDP from our Internal Network to the DMZ.
Navigate to Network Security, Packet Filter.
We don’t need a Group here.
Since we don’t have many rules and we shouldn’t be using this rule often, we can leave the Position: at the Bottom
Our Source: is the Internal (Network) since we may want to manage this server from any computer on your Internal Network. You could set this to a Single Host if you wanted to.
The Service: is Microsoft Remote Desktop
And the Destination: is DMZ (Network) Again you could set this to just a single IP address (Host) but we may add other servers and it will be easier to have a rule that allows the entire network rather than creating a rule for every machine you may add.
Action: is Allow

 

 Click the RED Light to enable the rule.

 

 You now have access to any machine on the DMZ network from the Internal Network and ONLY from the Internal Network.

Follow Pete on Twitter! http://twitter.com/tyrstag 

 

 

 

Create a trackback from your own site.

9 Comments

    • Dec 12 2009, 1:47 PM Schoppenaas
    • Thanks for this good article I hope that there will be an part 4 (or more). Setting up VPN?
    • Apr 09 2010, 5:47 PM bonus de bienvenue casino
    • I installed the software during which I select eth0 as my connection to the internal network. I am not going through the wizard and I only see 1 NIC card??? If I choose X=Cancel on the Setup wizard it brings me out the Dashboard section. When I go into the Network > Interfaces > Hardware I only see one NIC. Not sure what I going on here .I do not know what the problem becomes.Please give some suggestion,so i will remove that error.
    • Feb 05 2010, 7:14 AM Pete Stagman
    • Are there 2 different brand of NIC's? Is there one on the motherboard and you added another? It could be that one is not supported by the Astaro software. No driver.
      --Pete
    • Mar 07 2010, 9:05 AM Spielcasinos
    • One way is to request more IP addresses from your ISP where you can assign each ISP-provided IP address to each of your host respectively. Keep in mind that that this choice might not be financially feasible or might introduce technical limitation.your system administrator need to configure the DNS BIND to be able to do such resolving. Fortunately there is a nice DNS feature on Cisco ASA and PIX Firewall where the DNS need only to resolve names to inside IP address, and still have the outside users able to access the server.
    • Mar 29 2010, 5:58 AM gaurav
    • Data security is very important issue now a days in IT sector.you have provided a good information in your blog.
    • Apr 09 2010, 6:10 PM Adam
    • Your guide is excellent and got me part of the way through this, but I've still got a few problems and wondering if you can help... I'll start with explaining what I'm trying to set up. I have a Comcast cable modem who's address is setup with DynDNS. I have a LinkSys wireless router (not used for DNS or DHCP). I have a Windows 2003 Server that is my Domain Controller, DNS, and DHCP server. I'm trying to figure out how to connect all this stuff together properly... I've got Astaro installed and connect to it on the internal card (192.168.1.100) but when I try and plug it between the modem and the router everything times out. I'm plugging the cable from the modem into the external NIC and then the internal NIC into the "Internet" port on the router. Is that wrong? In Astaro I've set up the DynDNS entry and have the internal NIC configured to 192.168.1.100 and can connect to it when it's just sat on my network as another PC. I haven't configured anything else for the External NIC, should I? Really hoping you can help! Thanks,
      Adam
    • Apr 09 2010, 6:11 PM Pete Stagman
    • Hi Adam,
      You don't want the wireless to route at all, so don't use the Internet/WAN port. Most Wireless routers have 2-4 LAN ports. Insert the patch cord from the Astaro Internal Port into 1 of the LAN ports.
      When I have a Wireless Router acting as an access point ONLY, I put a piece of tape over the WAN port to make sure that nothing gets plugged into it.
      So, to make sure you got this, you should have, Coax into Cable Modem, LAN port on modem to External Port on Astaro, Internal port on Astaro to LAN port on Wireless Router.
      --Pete
    • Apr 12 2010, 1:58 PM Adam
    • Thanks Pete! Yes, got it working great now!
    • Aug 18 2010, 6:24 AM Contact Center
    • This post is really a useful one for all those are working in the networking field. It is useful information for all that we follow as told in the post and add a second level of NAT then the Astaro will take that Private IP Address and change it to a Different Private IP Address. We can make use of this technique in many fields of networking. The next section of this post discusses about Accessing the Internet in a Double NAT. All this techniques are easily understandable as they are explained with the help of diagrams.
Leave A Comment



Please enter the CAPTCHA phrase above.



Syndicate    
 Archive Minimize
  
 Recent Comments Minimize

"Thanks Pete, I believe they will work since they do have 2 4x ports and support both SAS and SATA. One way to find out for sure I suppose" Read more
by Chris on Rosewill RSV-S8 External Drive enclosure

"I don't know those particular controllers. But the drive enclosure should work with any Port multiplying SATA controller. You would need 2 port multipliers on the controller, each port controls 4 drives in the enclosure.

-- Pete" Read more
by Pete Stagman on Rosewill RSV-S8 External Drive enclosure

"I'm looking at this enclosure, does anyone know if it'd work with an HP smart array controller? ie, P800 or E500 or something? Thanks" Read more
by Chris on Rosewill RSV-S8 External Drive enclosure

"I am really impressed with this product. I love its gloss black finish. I would like to buy one of its kids as it is easy to install and is perfect for backups. It is awesome to know that this black beauty can hold up to 8 hard drives with a huge storage space with 8 SATA 3G HDD. I am sure that it can create can create anything from a bunch of drives to RAID 5. " Read more
by targeted email marketing on Rosewill RSV-S8 External Drive enclosure

  
 Tell-A-Friend Minimize
Have a Friend that would be interested in this Page?
  
 Favorite Links Minimize
  
 Advertisements Minimize
 Print   
2006-2009 New England Digital Media User Group   Terms Of Use  Privacy Statement
DotNetNuke® is copyright 2002-2012 by DotNetNuke Corporation