[IPCop-user] Multiple IP addresses on red interface

Discussion:

Jonathan Baker-Bates

2003-08-23 03:02:06 UTC

Hi all,

I'm new to the list - and evaluating IPCop to replace our now out-of-support
NetScreen firewall.

Before I try setting it all up in a testbed, I have a question:

In the docs, I see IPCop allows you to add "aliases" to your untrusted
interface, but I have a feeling there is a catch, because it also says:

"...if you are providing a server on one of internal computers you may need
to use multiple aliases on your RED interface. To use this facility
effectively, you may have to adjust IPCop's routing tables by hand. "

If by "internal computers" it means "computers on the DMZ" then yes, we do
plan to do this. For example, currently we have about 12 external IP
addresses on our untrusted interface, which each map through to addresses on
the DMZ for things like web servers, etc. (restricted to specific ports or
ranges of ports).

Can anyone tell me more about this slightly mysterious paragraph in the
docs? Will IPCop let us have arbritrary addresses on our red interface
mapping through to addresses on our orange (or even green) interfaces?

Thanks for any help,

Jonathan

Jonathan Baker-Bates

2003-08-26 11:35:37 UTC

Permalink

Hi all,

In the docs, I see IPCop allows you to add "aliases" to your untrusted
interface, but I have a feeling there is a catch, because it also says:

"...if you are providing a server on one of internal computers you may need
to use multiple aliases on your RED interface. To use this facility
effectively, you may have to adjust IPCop's routing tables by hand. "

If by "internal computers" it means "computers on the DMZ" then yes, we do
plan to do this. For example, currently we have about 12 external IP
addresses on our untrusted interface, each of which map through to addresses
on
the DMZ for things like web servers, etc. (restricted to specific ports or
ranges of ports).

Can anyone tell me more about this slightly mysterious paragraph in the
docs? Will IPCop let us have arbitrary addresses on our red interface
mapping through to addresses on our orange (or even green) interfaces?

Thanks for any help,

Jonathan

--
This message has been scanned for viruses and dangerous content.

Jonathan Baker-Bates

2003-08-26 11:48:46 UTC

Permalink

[I wonder if this is going to turn up on the list - my last two attempts
didn't]

Hi all,

In the docs, I see IPCop allows you to add "aliases" to your untrusted
interface, but I have a feeling there is a catch, because it also says:

"...if you are providing a server on one of internal computers you may need
to use multiple aliases on your RED interface. To use this facility
effectively, you may have to adjust IPCop's routing tables by hand. "

If by "internal computers" it means "computers on the DMZ" then yes, we do
plan to do this. For example, currently we have about 12 external IP
addresses on our untrusted interface, which each map through to addresses on
the DMZ for things like web servers, etc. (restricted to specific ports or
ranges of ports).

Can anyone tell me more about this slightly mysterious paragraph in the
docs? Will IPCop let us have arbritrary addresses on our red interface
mapping through to addresses on our orange (or even green) interfaces?

Thanks for any help,

Jonathan

--
This message has been scanned for viruses and dangerous content.

Marco van Beek

2003-08-26 13:04:19 UTC

Permalink

Post by Jonathan Baker-Bates
"...if you are providing a server on one of internal computers you may
need to use multiple aliases on your RED interface. To use this
facility effectively, you may have to adjust IPCop's routing tables by
hand. "

Unless I am mistaken, this is because the box on the inside (be it green
or red) will reply via the firewall which will then use it's default IP
address, potentially confusing a number of services.
Quite how you have to change the routing table I am not sure, but
basically packets recieved from internal address A will need to be sent
out on external address C rather than the default address B. I suspect it
will be a matter of adding a second (or more) default route entry for the
alias-using server.
However "caveat emptor", as I have never done this.

Regards,

Marco

Chris Meller

2003-08-26 13:10:33 UTC

Permalink

Yes they did. You just have to be patient. This list is "quirky" at the
least...

Chris Meller

Post by Jonathan Baker-Bates
[I wonder if this is going to turn up on the list - my last two attempts
didn't]
Hi all,
In the docs, I see IPCop allows you to add "aliases" to your untrusted
"...if you are providing a server on one of internal computers you may need
to use multiple aliases on your RED interface. To use this facility
effectively, you may have to adjust IPCop's routing tables by hand. "
If by "internal computers" it means "computers on the DMZ" then yes, we do
plan to do this. For example, currently we have about 12 external IP
addresses on our untrusted interface, which each map through to addresses on
the DMZ for things like web servers, etc. (restricted to specific ports or
ranges of ports).
Can anyone tell me more about this slightly mysterious paragraph in the
docs? Will IPCop let us have arbritrary addresses on our red interface
mapping through to addresses on our orange (or even green) interfaces?
Thanks for any help,
Jonathan

Robert Kerr

2003-08-26 13:53:15 UTC

Permalink

Post by Jonathan Baker-Bates
[I wonder if this is going to turn up on the list - my last two attempts
didn't]

They both showed up fine here.

Post by Jonathan Baker-Bates
In the docs, I see IPCop allows you to add "aliases" to your untrusted
"...if you are providing a server on one of internal computers you may need
to use multiple aliases on your RED interface. To use this facility
effectively, you may have to adjust IPCop's routing tables by hand. "
If by "internal computers" it means "computers on the DMZ" then yes, we do
plan to do this. For example, currently we have about 12 external IP
addresses on our untrusted interface, which each map through to addresses
on the DMZ for things like web servers, etc. (restricted to specific ports
or ranges of ports).
Can anyone tell me more about this slightly mysterious paragraph in the
docs? Will IPCop let us have arbritrary addresses on our red interface
mapping through to addresses on our orange (or even green) interfaces?

I guess the person who wrote the paragraph is the only one who can tell you
for sure what they meant. Under most circumstances there is no reason to
touch the routing tables in the situation you describe. My guess would be
they are probably referring to a problem you will experience if attempting to
run a server for a protocol that connects back to the client (eg FTP servers
in active mode) on aliases. The problem occurs because all outgoing
connections are routed through the default IP - the client expects a
connection from the alias but instead gets one from the default IP and
rejects it. In this case you'd need to manipulate the routing table and/or
add some SNAT rules.

--
Robert Kerr

Jonathan Baker-Bates

2003-08-26 13:56:15 UTC

Permalink

Thanks for the reply Marco - and sorry for the duplicate posts.

Post by Marco van Beek
Unless I am mistaken, this is because the box on the inside
(be it green
or red) will reply via the firewall which will then use it's
default IP

As I understand it at the moment, if I wanted to have packets passing to and
from an address on my Orange network at 192.168.10.5 to an IP address on my
Red network at 158.159.34.67, I would first set up an "external alias" in
the IPCop management interface for 158.159.34.67 and add a route manually to
the IPCop machine to "map" this as well?

Would I also have to add a route on the machine on the Orange network as
well?

Jonathan

Post by Marco van Beek
-----Original Message-----
Sent: 26 August 2003 16:01
Subject: Re: [IPCop-user] Multiple IP addresses on red interface

Post by Jonathan Baker-Bates
"...if you are providing a server on one of internal

computers you may

Post by Jonathan Baker-Bates
need to use multiple aliases on your RED interface. To use this
facility effectively, you may have to adjust IPCop's

routing tables by

Post by Jonathan Baker-Bates
hand. "

Unless I am mistaken, this is because the box on the inside
(be it green
or red) will reply via the firewall which will then use it's
default IP
address, potentially confusing a number of services.
Quite how you have to change the routing table I am not sure, but
basically packets recieved from internal address A will need
to be sent
out on external address C rather than the default address B.
I suspect it
will be a matter of adding a second (or more) default route
entry for the
alias-using server.
However "caveat emptor", as I have never done this.
Regards,
Marco
--
This message has been scanned for viruses and dangerous content.

--
This message has been scanned for viruses and dangerous content.

Darren Critchley

2003-08-26 14:43:02 UTC

Permalink

Post by Jonathan Baker-Bates
Thanks for the reply Marco - and sorry for the duplicate posts.

Post by Marco van Beek
Unless I am mistaken, this is because the box on the inside
(be it green
or red) will reply via the firewall which will then use it's
default IP

As I understand it at the moment, if I wanted to have packets passing
to and from an address on my Orange network at 192.168.10.5 to an IP
address on my Red network at 158.159.34.67, I would first set up an
"external alias" in the IPCop management interface for 158.159.34.67
and add a route manually to the IPCop machine to "map" this as well?
Would I also have to add a route on the machine on the Orange network
as well?

The port forwarding page should accomodate this, examine the second drop
down list at the top center labelled Alias IP:, it will have DEFAULT IP in
it, but if you check the list inside, you will see that it has your aliases
in there, if you port forward using your alias, thing should work how you
expect without an changes in your routing table.

Nick Shore

2003-08-27 10:36:05 UTC

Permalink

Post by Darren Critchley
The port forwarding page should accomodate this, examine the second drop
down list at the top center labelled Alias IP:, it will have DEFAULT IP in
it, but if you check the list inside, you will see that it has
your aliases
in there, if you port forward using your alias, thing should work how you
expect without an changes in your routing table.

However as previously mentioned traffic from the servers on the DMZ will be
NATed using the MASQ rule behind the default IP address.

It would be really useful if the port forwarding page allowed you to
optionally check a box to implement SNAT rules, and then do it for you.

The rule should be similar to:

iptables -t nat -A postrouting -o <output interface> -j SNAT --source
<address(es)> --to-source <red-side-address-or-alias>

but may need to be in a different table, I haven't had time to check this
out fully.

Nick.