Page 1 of 2 12 LastLast
Results 1 to 10 of 14
  1. #1
    Untanglit
    Join Date
    Nov 2009
    Posts
    24

    Thumbs up FIXED: Rule to allow modem to talk to internal network?

    Hi everyone,

    This is a re-statement of my previous unanswered post as I think I made it too unclear exactly what I was trying to do. I hope no-one minds me posting again.

    Setup:

    I have a cisco router acting as a NAT modem and an Untangle box behind it in router mode. This works exactly as expected with no problems.

    Please see the network diagram attached for my current setup.


    What I'm trying to do:

    I now want the Cisco router to be able to talk to the internal network (so it can send logs).


    Things I've tried:

    1. Added a static route on the Cisco to direct all traffic destined for internal (192.168.158.0/24) to the external interface on Untangle. This allowed the router to talk to all the interfaces in the Untangle box but no further.

    2. I've tried a bypass rule for all traffic coming from the Cisco's IP address going to anywhere on all protocols but this had no effect.



    I'm not sure where the traffic is going. If the Cisco can talk to an interface in Untangle that's on the same subnet as the internal network why can't it talk to the internal network?

    Hopefully the answer is blindingly obvious and someone can educate me
    Last edited by Jon_Starr; 12-03-2009 at 11:43 AM. Reason: Untangle is in router mode, not bridge mode.

  2. #2
    Untangle Ninja raditude's Avatar
    Join Date
    Jan 2009
    Location
    Eugene, OR
    Posts
    1,143

    Default

    Are you sure you are working in bridged mode? Based on your diagram you have the UT EXT_IF as 192.168.1.x, and the INT_IF as 192.168.158.x, and DMZ_IF as 192.168.2.x, this would be a router configuration, not bridge.
    Last edited by raditude; 12-03-2009 at 08:19 AM. Reason: updated INT_IF address

  3. #3
    Untanglit
    Join Date
    Nov 2009
    Posts
    24

    Default

    Hi raditude, thanks for the reply.

    I apologise, that was a mistake on my part. Untangle is in router mode.

  4. #4
    Untangle Ninja raditude's Avatar
    Join Date
    Jan 2009
    Location
    Eugene, OR
    Posts
    1,143

    Default

    So do you have port forward rules in place to pass whatever ports to whatever server/system internally? What about your firewall module installed? Set to pass by default or block?

  5. #5
    Untanglit
    Join Date
    Nov 2009
    Posts
    24

    Default

    That's right, I have forwarding rules for the internal services.

    The default firewall option is Pass. The only rule enabled is to block any port 21 (FTP) traffic.

  6. #6
    Untangle Ninja raditude's Avatar
    Join Date
    Jan 2009
    Location
    Eugene, OR
    Posts
    1,143

    Default

    Can you post what your port forward rule looks like?

  7. #7
    Untanglit
    Join Date
    Nov 2009
    Posts
    24

    Default

    Sure, the one I tried was:

    Code:
    If all of the following conditions are met:
    
    Source Address   192.168.1.1
    Destination Address:   192.168.158.100
    
    Forward traffic to the following location:
    
    New Destination:   192.168.158.100

    I just tried a more sensible variation of:

    Code:
    If all of the following conditions are met:
    
    Source Address   192.168.1.1
    
    Forward traffic to the following location:
    
    New Destination:   192.168.158.100
    But there was no change.
    Last edited by Jon_Starr; 12-03-2009 at 10:04 AM. Reason: Just tried a slightly different rule

  8. #8
    Untangle Ninja raditude's Avatar
    Join Date
    Jan 2009
    Location
    Eugene, OR
    Posts
    1,143

    Default

    So you want ALL traffic to just go to that 1 internal address? Since ALL of your traffic would come from 192.168.1.1 based on your diagram, IF this rule worked ONLY 192.168.158.100 would get ANY traffic, as that is what your rule is saying.

    In your first rule you say from source 192.168.1.1 to destination 192.168.158.100, you can not do that, you could say source 192.168.1.1, destination 192.168.1.2 to new destination 192.168.158.100, but you also need to add which ports you want to forward, and which protocols (tcp, udp, icmp..etc).

  9. #9
    Untanglit
    Join Date
    Nov 2009
    Posts
    24

    Default

    I might have got myself confused with how NAT works, but wouldn't all internet traffic NOT look like it was coming from the router's IP of 192.168.1.1?

    I was assuming that only traffic coming from inside the router itself would seem to occur from 192.168.1.1 as there is no NAT involved for that.


    Edit:

    I want all traffic from the router itself (so internally generated traffic, not web traffic) to go to 192.168.158.100.

    As I've set up the static route in the router to send all traffic for 192.168.158.0/24 to Untangle's external interface, is there a simple way to tell Untangle just to route that to Internal?
    As those addresses are never going to be requested from the web it would be safe to do that right?
    Last edited by Jon_Starr; 12-03-2009 at 10:37 AM.

  10. #10
    Untangle Ninja raditude's Avatar
    Join Date
    Jan 2009
    Location
    Eugene, OR
    Posts
    1,143

    Default

    Nope, here you are double NAT'ing, so if you wanted to say forward port 80 from the internet to 192.168.158.100, you would have to set the cisco up to forward from EXT_IF to INT_IF, then you have to setup UT (since it is in router mode) to forward anything coming from the cisco INT_IF (IP Address) to 192.168.158.100, port 80, and I would nail down which protocols as well (tcp).

    ALL traffic that is coming from your cisco (from or through), is going to be coming from 192.168.1.1. Unfortunately it is not as easy as you had hoped because of this. You will need to figure out what port the logs will be coming from, and forward just that port (seen some listings that some cisco routers use port udp 514, but you will want to check yours specifically).

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2