The best option in this environment is to call your ISP’s tech support and ask them if they can switch off NAT and set the Modem to Bridge Mode so that it will not try to give out Private IP addresses. Explain to them that you are trying to add a hardware firewall and this is the way it’s supposed to work. If they agree to do it, then your Astaro will end up with a Public IP Address on its External Interface and you won’t have to worry about Double NAT-ting at all.
If they refuse to change the settings, you can still get it to work, but you’ll have to do a bit more work.
In order for your network to work in a Double NAT environment, you MUST follow these rules:
Say that you wanted to be able to Remote Desktop to your PC from the Internet.
This is where it can get really confusing in a Double NAT network. First you will have to get into the Cable Modem and Port Forward the RDP Port(3389) to the External Address of the Astaro. To the Astaro? Yes, because then you have to get into the Astaro and Port Forward the RDP Port AGAIN to the destination PC. You can see how this is done in Part 2.
Adding a Wireless Router to the Network
You want to add wireless to your Network and you have a Wireless Router that you had kicking around. Well, Guess what? That Wireless Router is going to want to add another level of NAT to your Network!
Here, the best option is to not use a Wireless Router at all, if you don’t already have the Wireless, go buy a Wireless Access Point without any Routing. If you already have the Wireless Router, get into the management interface and see if there is a setting for “Access Point Only”. This is common in newer Wireless routers. If this is NOT an option, then you want to make sure that DHCP is NOT enabled in the Wireless Router. You DO NOT want the Wireless giving out its own addresses, you want it to get the addresses from the Astaro and pass those out.
The other thing you want to make sure of is that the Wireless is on the INSIDE Network, after the Astaro. Do not plug anything into the WAN Port on the Wireless, you want the Wireless to be an Access Point and NOT do any Routing.
Setting up a DMZ
First, What is a DMZ? A DeMilitarized Zone is a separate Network that is neither Inside or Outside your Network. How can it be neither? Easy, it’s a 3rd separate Network. This is why the Hardware Requirements for the Astaro includes 3 NICs.
So, why would you want a DMZ?
If you have a server that you want people to be able to access from the Internet, it is likely that at some point, that server will get hacked or “Owned” and may become a danger to your Internal Network. A DMZ gives you another layer of security from that “Owned” server and your Internal computers won’t be susceptible to easy attack from your OWN SERVER.
Setting up the DMZ on the Astaro
To enable a DMZ on the Astaro, first log in to the management interface. Navigate to Network, Interfaces.
Then select “New Interface . . .”
Give the new Interface a Name.
The Type: should be “Ethernet Standard”
Hardware is any NIC you have remaining on the drop down. If you had 3 NICs there will be only one available in the drop down. If you had more than 3 NICs, you may have more options in the drop down.
The Address: Needs to be a different address range from your Internal and External addresses. I chose 192.168.3.1
The Netmask: can be any Mask you like, depending on how many addresses you think you will need. I left it at 255.255.255.0
All the other settings you can leave at the defaults.
Click “Save” to save your new Interface.
Click the RED light to enable the Interface.
The Next step is enabling a MASQ for the interface. This allows the computers on the DMZ Network to access the Internet.
Navigate to Network Security, NAT then click on “New masquerading rule . . .”
Here you tell the firewall what Network you are allowing Access to what Interface.
For Network: you want to choose the Network Interface you created in the previous step. Mine was called “DMZ”
The Interface: is the Name of the Interface that accesses the Internet. As you see here, Mine is “External (WAN)”
Click the RED Light to enable the MASQ.
Creating a Packet Filter Rule
That Interface now has a path to the Internet, but NO DATA is allowed to pass. So, now we have to go to Network Security, Packet Filter.
Click “New rule . . .” to create a new packet filter rule. Here we set what services the DMZ is allowed to access on the Internet. Let’s assume that you are going to install an e-mail server in the DMZ, an e-mail server will need to be able to access Email messaging services on the internet, so we’ll create a rule that allows those services. (Notice the Rule that I have that says Internal Network àANYàANY. That is a No No, you should never have a rule with more than ONE ANY in the definition, I’ll fix that. I’m not sure why it’s there.)
You can set Groups of rules that should stay together. We don’t have many rules, so it’s not really necessary.
Packet Filter Rules are tested in order from Top to Bottom. The Rule Position would be important if we had many rules, you may find if you are adding many servers and services that you have lots of rules. In that case, you want to move rules that will be run more often to the top of the list. Things like HTTP that are probably most of your internet traffic should be at the top so the firewall doesn’t have to go through the entire list of rules before it finds a match. Services that you use only occasionally should go to the bottom of the list.
The Source: will be the “DMZ (Network)” that we created earlier. This is where the traffic will come FROM. We are SENDING mail from here.
The Service: is the “Email Messaging” group of services. If you were to look in this group you would find SMTP, POP3, IMAP . . .
The Destination: in this case is ANY. That means ANY host on the Internet. If you are using your ISPs mail server or another service like Postini you could set a Host address instead ofANY.
The Action: is Allow. We are ALLOWING the traffic through. Other options are Deny and Drop. The difference between Deny and Drop is important. Deny sends a message back to the originating host saying that it was denied, Drop just breaks the connection without any message.
Click Save to save your new Packet Filter Rule.
Click the RED light to enable the rule.
Adding a Host Server to the DMZ
Now that we are allowing mail out of our network, we need to let it in. To do this we’ll have to create a Host Definition and NAT rule.
Navigate to Network Security, NAT. Then click the DNAT/SNAT tab.
Click “New NAT rule . . .”
Give your NAT rule a descriptive Name:
Group and Position: work the same way they do in Packet Filters. Move the more often used to the top of the list.
Our Traffic Source: is Any, so we can receive mail from anywhere on the Internet
Traffic Service: is our Email Messaging group again.
The Traffic Destination: is the Interface that has the Public IP Address of our mail server. In most cases it will just be the External (WAN).
The NAT Node: is DNAT (Destination)
Next we need to add the Destination Host
Click the GREEN Plus Sign next to the Destination box. This brings up the Add Network Definition box.
Give your Host a Name: I just called it “Mail Server”
The Type: will remain Host.
Enter the IP Address that you will give your mail server. I chose 192.168.3.2
Select the DMZ Interface:
Comment it optional.
Click Save to save the host you just created.
This will bring you back to the DNAT screen. Complete filling out the fields by clicking the “Automatic packet filter rule:” check box. This does what it says and creates a packet filter that will allow the traffic you defined in the NAT Rule.
Congratulations! You now have a working Email server in your DMZ that is separated from both your internal network and the Internet.
Accessing Servers that are in your DMZ from your Internal Network
Now that we have your Mail Server in the DMZ, it might be nice to actually be able to manage it. The easiest way to do it is with RDP (Remote Desktop Protocol). But, we have all traffic blocked between our Internal Network and the DMZ. So, we need to create a packet filter rule that will allow RDP from our Internal Network to the DMZ.
Navigate to Network Security, Packet Filter.
We don’t need a Group here.
Since we don’t have many rules and we shouldn’t be using this rule often, we can leave the Position: at the Bottom
Our Source: is the Internal (Network) since we may want to manage this server from any computer on your Internal Network. You could set this to a Single Host if you wanted to.
The Service: is Microsoft Remote Desktop
And the Destination: is DMZ (Network) Again you could set this to just a single IP address (Host) but we may add other servers and it will be easier to have a rule that allows the entire network rather than creating a rule for every machine you may add.
Action: is Allow
Click the RED Light to enable the rule.
You now have access to any machine on the DMZ network from the Internal Network and ONLY from the Internal Network.