Philips TV
  Search
Thursday, March 11, 2010 ..:: Blogs ::.. Register  Login
Buy Creator 2009 Today!Get it While Its Hot - Roxio Popcorn 3
 Bloggers Minimize
  
 Categories Minimize
  
 Tag Cloud Minimize
  
 Who's in chat? Minimize
 Print   
 Who's Online? Minimize
Membership Membership:
Latest New User Latest: rabbit656
New Today New Today: 0
New Yesterday New Yesterday: 0
User Count Overall: 186
People Online People Online:
Visitors Visitors: 13
Members Members: 0
Total Total: 13
Online Now Online Now:
  
 Donate Minimize

As most of you know, all the expenses of running the group are paid for by donations. Please help keep the group running by donating whatever you can.

You can donate through PayPal by clicking the link below.

Donate through PayPal - it's fast, free and secure!
  
Hot Product
Nero $16 OFF Sale/Discount
 Featured Posts Minimize
  
 Blog Minimize

Building an Astaro personal firewall with spare or low end parts - Part 3

Posted By: Pete Stagman on 3/22/2009

 

 Follow Pete on Twitter! http://twitter.com/tyrstag

 

Double NAT

In most cases, your ISP gave you a MODEM or Router that sits between the Internet and your Home Network and chances are good that your MODEM/Router (I’m just going to call it a Modem from now on) is doing NAT. So you have a public IP Address on the outside of the Modem and a Private address on the inside. If you then add your Astaro Firewall into the mix with NAT enabled, you are adding a second level of NAT as the Astaro will take that Private IP Address and change it to a Different Private IP Address.

The best option in this environment is to call your ISP’s tech support and ask them if they can switch off NAT and set the Modem to Bridge Mode so that it will not try to give out Private IP addresses. Explain to them that you are trying to add a hardware firewall and this is the way it’s supposed to work. If they agree to do it, then your Astaro will end up with a Public IP Address on its External Interface and you won’t have to worry about Double NAT-ting at all.
If they refuse to change the settings, you can still get it to work, but you’ll have to do a bit more work.
 
Accessing the Internet in a Double NAT

In order for your PC to access the Internet, it has to be able to NAT in reverse, which means that the DHCP settings that the Router and the Astaro are giving out need to be correct. When you try to access the Internet, the gateway that the Astaro gives out along with the IP address should be the Internal IP Address of the Astaro, The External Address of the Astaro should be an address given to it by the Router with the Internal IP Address of the Router as its Gateway.

In order for your network to work in a Double NAT environment, you MUST follow these rules:
·         The IP Sub-Nets of the Modem-to-Astaro and the Astaro-to-PC MUST be different. I.e. Modem-to-Astaro 192.168.1.x, Astaro-to-PC 192.168.2.x (You don’t have to use these exact subnets, any Private Address ranges will work)
·         The External gateway on the Astaro must be set as the Internal Address of the Modem.
·         The gateway of the PC must be set to the Internal IP Address of the Astaro.
·         If you are going to remote access your Network, the External Address of the Astaro Must be Static and any machine you plan on accessing from the Internet must also be set static.
 
Accessing your network remotely from the Internet
Say that you wanted to be able to Remote Desktop to your PC from the Internet.

This is where it can get really confusing in a Double NAT network. First you will have to get into the Cable Modem and Port Forward the RDP Port(3389) to the External Address of the Astaro. To the Astaro? Yes, because then you have to get into the Astaro and Port Forward the RDP Port AGAIN to the destination PC. You can see how this is done in Part 2.

Adding a Wireless Router to the Network
You want to add wireless to your Network and you have a Wireless Router that you had kicking around. Well, Guess what? That Wireless Router is going to want to add another level of NAT to your Network!
Here, the best option is to not use a Wireless Router at all, if you don’t already have the Wireless, go buy a Wireless Access Point without any Routing. If you already have the Wireless Router, get into the management interface and see if there is a setting for “Access Point Only”. This is common in newer Wireless routers. If this is NOT an option, then you want to make sure that DHCP is NOT enabled in the Wireless Router. You DO NOT want the Wireless giving out its own addresses, you want it to get the addresses from the Astaro and pass those out.
The other thing you want to make sure of is that the Wireless is on the INSIDE Network, after the Astaro. Do not plug anything into the WAN Port on the Wireless, you want the Wireless to be an Access Point and NOT do any Routing.

 

 

 

Setting up a DMZ

First, What is a DMZ? A DeMilitarized Zone is a separate Network that is neither Inside or Outside your Network. How can it be neither? Easy, it’s a 3rd separate Network. This is why the Hardware Requirements for the Astaro includes 3 NICs.

So, why would you want a DMZ?
If you have a server that you want people to be able to access from the Internet, it is likely that at some point, that server will get hacked or “Owned” and may become a danger to your Internal Network. A DMZ gives you another layer of security from that “Owned” server and your Internal computers won’t be susceptible to easy attack from your OWN SERVER.
 
Setting up the DMZ on the Astaro
To enable a DMZ on the Astaro, first log in to the management interface. Navigate to Network, Interfaces.

Then select “New Interface . . .”
Give the new Interface a Name.
The Type: should be “Ethernet Standard”
Hardware is any NIC you have remaining on the drop down. If you had 3 NICs there will be only one available in the drop down. If you had more than 3 NICs, you may have more options in the drop down.
The Address: Needs to be a different address range from your Internal and External addresses. I chose 192.168.3.1
The Netmask: can be any Mask you like, depending on how many addresses you think you will need. I left it at 255.255.255.0
All the other settings you can leave at the defaults.

Click “Save” to save your new Interface.

Click the RED light to enable the Interface.
The Next step is enabling a MASQ for the interface. This allows the computers on the DMZ Network to access the Internet.
Navigate to Network Security, NAT then click on “New masquerading rule . . .”

 

 Here you tell the firewall what Network you are allowing Access to what Interface.

For Network: you want to choose the Network Interface you created in the previous step. Mine was called “DMZ”
The Interface: is the Name of the Interface that accesses the Internet. As you see here, Mine is “External (WAN)”
Click “Save”

 

 Click the RED Light to enable the MASQ.

 

 

Creating a Packet Filter Rule
That Interface now has a path to the Internet, but NO DATA is allowed to pass. So, now we have to go to Network Security, Packet Filter.
Click “New rule . . .” to create a new packet filter rule. Here we set what services the DMZ is allowed to access on the Internet. Let’s assume that you are going to install an e-mail server in the DMZ, an e-mail server will need to be able to access Email messaging services on the internet, so we’ll create a rule that allows those services. (Notice the Rule that I have that says Internal Network àANYàANY. That is a No No, you should never have a rule with more than ONE ANY in the definition, I’ll fix that. I’m not sure why it’s there.)
You can set Groups of rules that should stay together. We don’t have many rules, so it’s not really necessary.
Packet Filter Rules are tested in order from Top to Bottom. The Rule Position would be important if we had many rules, you may find if you are adding many servers and services that you have lots of rules. In that case, you want to move rules that will be run more often to the top of the list. Things like HTTP that are probably most of your internet traffic should be at the top so the firewall doesn’t have to go through the entire list of rules before it finds a match. Services that you use only occasionally should go to the bottom of the list.
The Source: will be the “DMZ (Network)” that we created earlier. This is where the traffic will come FROM. We are SENDING mail from here.
The Service: is the “Email Messaging” group of services. If you were to look in this group you would find SMTP, POP3, IMAP . . .
The Destination: in this case is ANY. That means ANY host on the Internet. If you are using your ISPs mail server or another service like Postini you could set a Host address instead ofANY.
The Action: is Allow. We are ALLOWING the traffic through. Other options are Deny and Drop. The difference between Deny and Drop is important. Deny sends a message back to the originating host saying that it was denied, Drop just breaks the connection without any message.
Click Save to save your new Packet Filter Rule.

Click the RED light to enable the rule.

Adding a Host Server to the DMZ
Now that we are allowing mail out of our network, we need to let it in. To do this we’ll have to create a Host Definition and NAT rule.
Navigate to Network Security, NAT. Then click the DNAT/SNAT tab.
Click “New NAT rule . . .”
Give your NAT rule a descriptive Name:
Group and Position: work the same way they do in Packet Filters. Move the more often used to the top of the list.
Our Traffic Source: is Any, so we can receive mail from anywhere on the Internet
Traffic Service: is our Email Messaging group again.
The Traffic Destination: is the Interface that has the Public IP Address of our mail server. In most cases it will just be the External (WAN).
The NAT Node: is DNAT (Destination)

Next we need to add the Destination Host
Click the GREEN Plus Sign next to the Destination box. This brings up the Add Network Definition box.
Give your Host a Name: I just called it “Mail Server”
The Type: will remain Host.
Enter the IP Address that you will give your mail server. I chose 192.168.3.2
Select the DMZ Interface:
Comment it optional.
Click Save to save the host you just created.

This will bring you back to the DNAT screen. Complete filling out the fields by clicking the “Automatic packet filter rule:” check box. This does what it says and creates a packet filter that will allow the traffic you defined in the NAT Rule.

Congratulations! You now have a working Email server in your DMZ that is separated from both your internal network and the Internet.

 

 

Accessing Servers that are in your DMZ from your Internal Network
Now that we have your Mail Server in the DMZ, it might be nice to actually be able to manage it. The easiest way to do it is with RDP (Remote Desktop Protocol). But, we have all traffic blocked between our Internal Network and the DMZ. So, we need to create a packet filter rule that will allow RDP from our Internal Network to the DMZ.
Navigate to Network Security, Packet Filter.
We don’t need a Group here.
Since we don’t have many rules and we shouldn’t be using this rule often, we can leave the Position: at the Bottom
Our Source: is the Internal (Network) since we may want to manage this server from any computer on your Internal Network. You could set this to a Single Host if you wanted to.
The Service: is Microsoft Remote Desktop
And the Destination: is DMZ (Network) Again you could set this to just a single IP address (Host) but we may add other servers and it will be easier to have a rule that allows the entire network rather than creating a rule for every machine you may add.
Action: is Allow

 

 Click the RED Light to enable the rule.

 

 You now have access to any machine on the DMZ network from the Internal Network and ONLY from the Internal Network.

Follow Pete on Twitter! http://twitter.com/tyrstag 

 

 

 

Create a trackback from your own site.
4 Comments

    • Dec 12 2009, 1:47 PM Schoppenaas
    • Thanks for this good article I hope that there will be an part 4 (or more). Setting up VPN?
    • Feb 05 2010, 5:09 AM bonus de bienvenue casino
    • I installed the software during which I select eth0 as my connection to the internal network. I am not going through the wizard and I only see 1 NIC card??? If I choose X=Cancel on the Setup wizard it brings me out the Dashboard section. When I go into the Network > Interfaces > Hardware I only see one NIC. Not sure what I going on here .I do not know what the problem becomes.Please give some suggestion,so i will remove that error. bonus de bienvenue casino
    • Feb 05 2010, 7:14 AM Pete Stagman
    • Are there 2 different brand of NIC's? Is there one on the motherboard and you added another? It could be that one is not supported by the Astaro software. No driver.
      --Pete
    • Mar 07 2010, 9:05 AM Spielcasinos
    • One way is to request more IP addresses from your ISP where you can assign each ISP-provided IP address to each of your host respectively. Keep in mind that that this choice might not be financially feasible or might introduce technical limitation.your system administrator need to configure the DNS BIND to be able to do such resolving. Fortunately there is a nice DNS feature on Cisco ASA and PIX Firewall where the DNS need only to resolve names to inside IP address, and still have the outside users able to access the server.
Leave A Comment



Enter the code shown above in the box below



Syndicate    
 Archive Minimize
  
 Recent Comments Minimize

"It has allowed some of the spectrum to be auctioned to companies that will be able to provide consumers with more advanced wireless services (such as wireless broadband).It has allowed stations to offer improved picture and surround sound (enhanced audio). Slots Spieler" Read More
by Slots Spieler on The Digital Transition is almost here.

"Excuse me, but what is the point of this post if it doesn't give instructions on how to use this new feature? Neither the post nor the press release it links to has any useful information for people who want to watch Netflix on Windows Media Center." Read More
by gagner de l'argent avec le casino on Netflix and Media Center officially get together

"I use pretty much the same method. I created a folder and named it "BluRay". I then create a folder for the movie I am ripping.Very nice post, and very nice setup. I'm slowly working my way towards that, however I'm using a PS3 to bring the media to my plasma which works pretty well so far. Next step is to bring stored BluRay into the game! " Read More
by Online Casino umsonst on Installing Windows 7 RC from a USB thumb drive

"Running a firewall is very important, in fact critical, just see my post here, although you wouldn’t run this on your laptop and take it with you the requirement for three network cards might be a problem on your laptop.Make sure that you understand that this is a complete operating system. It will format your hard drives and any data you had on there will be destroyed. You cannot multi-boot the software. " Read More
by Online Kasinos spielen on Building an Astaro personal firewall with spare or low end parts. Part 1

  
 Tell-A-Friend Minimize
Have a Friend that would be interested in this Page?
  
 Favorite Links Minimize
  
 Advertisements Minimize
 Print   
2006-2009 New England Digital Media User Group   Terms Of Use  Privacy Statement
DotNetNuke® is copyright 2002-2010 by DotNetNuke Corporation