Results 1 to 7 of 7
  1. #1
    Newbie
    Join Date
    Aug 2011
    Posts
    3

    Default static ip passthrough?

    So, very basic question here, and it may have already been asked, I found several similar but nothing exact.


    Can someone explain this to me like I'm 5 years old?


    I would like to use untangle for,
    web filter
    captive portal
    intrusion prevention
    and some reporting



    I have a pool of public static ip addresses,

    lets say they are

    1.1.1.1 though 1.1.1.5

    i have a 192.168.10.0/24 internal network

    i have a server running MS Server 2016
    I am using this for AD, roaming profiles, etc

    i have an untangle box with 4 Ethernet ports

    eth0 -wan
    eth1-192.168.10.0/24
    eth2- dmz?

    what I would like as an end result is for all of my internal machines to be able to access the server for domain, GP, AD, etc.

    I would like to be able to remotely access the server from offsite with remote desktop.

    Should I do DNS and DHCP from my server or untangle, or neithser, or both and how?

    How do I allow internal and external access to the server,

    How do I allow remote desktop access to several machines on my LAN, do I use public for these also?

    Sorry for the limited understanding, but thank you in advance for your help.

  2. #2
    Untangle Ninja jcoehoorn's Avatar
    Join Date
    Mar 2010
    Location
    York, NE
    Posts
    1,581

    Default

    If you're using AD, you should let the AD server do DHCP/DNS.

    To allow external access to the server, you need a Port Forward Rule. Set the rule for traffic on (for example) 1.1.1.2 and port 3389, and forward it to the internal address of your AD Server. Be very careful doing this. It's a HUGE security issue. Professionals don't allow direct remote desktop access to servers without some kind of additional security check.

    For remote desktop access to other machines, you need to know the internal IP address of those machines. You can accomplish this via DHCP reservations at your AD server. Then you can setup Port Forward rules for each of those. You can use non-standard port numbers, where the rule has ability in advanced options to set a new port number (like 3389) for the destination. In this way, you can access all your internal machines via one IP, where each machine has a different port number assigned to it.

    Personally, I would prefer to double-layer my RDP sessions. Only expose one machine to the public internet. If I need to access a different machine, I remote the public machine first, and then remote again from there to the internal machine I need. This limits my security exposure, and also allows me to use DNS names for the 2nd level RDP session, without the need for DHCP reservations.
    Last edited by jcoehoorn; 06-11-2018 at 10:20 AM.
    Five time Microsoft ASP.Net MVP managing a Lenovo RD330 / E5-2420 / 16GB with Untangle 14.0 to protect 700Mbits for ~400 residential college students and associated staff and faculty

  3. #3
    Untangler
    Join Date
    Oct 2013
    Posts
    65

    Default

    ^That, and use VPN for external users to access internal resources as well as for RDP’ing into any internal computer. No need to statically NAT any internal computer to a static external IP address unless it needs to be published publicly (ie. Email server, company web server, etc)

  4. #4
    Newbie
    Join Date
    Aug 2011
    Posts
    3

    Default

    Quote Originally Posted by jcoehoorn View Post
    If you're using AD, you should let the AD server do DHCP/DNS.

    To allow external access to the server, you need a Port Forward Rule. Set the rule for traffic on (for example) 1.1.1.2 and port 3389, and forward it to the internal address of your AD Server. Be very careful doing this. It's a HUGE security issue. Professionals don't allow direct remote desktop access to servers without some kind of additional security check.
    Thank you, this is starting to make sense,

    For a second layer is openvpn sufficient?

    The server is a web server, so i think it needs to have direct outside access,

    In your scenario, is the server on the LAN with the 1.1.1.2 assigned? or DMZ? Does the server have multiple ip addresses? local and public?

  5. #5
    Untangle Ninja jcoehoorn's Avatar
    Join Date
    Mar 2010
    Location
    York, NE
    Posts
    1,581

    Default

    Yes, OpenVPN is enough for that layer of security.

    For the web server, it does not need direct outside access. You do need Port Forward rules in Untangle for ports 80 and 443.

    The server will need a static internal address on your network in the 192.168.10.0/24 range. The only difference for any other computer or device is the address is static. You also choose one of the external addresses, and set Untangle to forward incoming traffic on ports 80 and 443 for that address to the internal address you reserved. Finally, if you have a domain name, you need public DNS service for the domain, where you can create a DNS record that points the domain to the public address you used with the port forward rules.

    Now, when someone puts your web site URL in their browser, the browser will do a DNS lookup that returns your IP address. Your ISP has already done the work so traffic targeting this IP address is routed to your local network. You put Untangle as the first device in that network (the gateway), so it will receive the traffic. The Port Forward rules in Untangle will then forward the request to your web server. Finally, your web server's response to the browser will run the same path in reverse and the user will see your web page in their browser.

    As for a DMZ... Yes, that would be better. But it's not necessary for things to function, and it will require additional setup and possibly equipment you don't have yet. Your first time, get things working like this first, then we can talk about adding a vlan to use as a dmz.
    Last edited by jcoehoorn; 06-12-2018 at 10:16 AM.
    Five time Microsoft ASP.Net MVP managing a Lenovo RD330 / E5-2420 / 16GB with Untangle 14.0 to protect 700Mbits for ~400 residential college students and associated staff and faculty

  6. #6
    Newbie
    Join Date
    Aug 2011
    Posts
    3

    Default

    Thank you guys very much. Let me put this into effect and see where I end up

  7. #7
    Untangle Ninja jcoehoorn's Avatar
    Join Date
    Mar 2010
    Location
    York, NE
    Posts
    1,581

    Default

    Quote Originally Posted by jcoehoorn View Post
    The only difference for any other computer or device is the address is static.
    Forgot to add, "and chosen so the DHCP server won't ever hand it out to a different machine and create a conflict."
    Five time Microsoft ASP.Net MVP managing a Lenovo RD330 / E5-2420 / 16GB with Untangle 14.0 to protect 700Mbits for ~400 residential college students and associated staff and faculty

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2