Allied Telesis AT-AR300 manual Further Examples, Firewall and IPsec Tunnel

Page 19

Software Release 2.3.1

19

redirection any web traffic from the user’s PC or laptop can be redirected to the ISP's web server. This forces the user to arrange payment for using the service before being able to browse to any other site. With appropriate supporting “deny” rules, all other traffic types from the user’s PC can be blocked until payment has been made.

The following gives a simple example of how a system such as this would be configured. The ISP has a switch configured with a firewall. The switch’s VLANs, vlan1 and vlan2, are private and public interfaces respectively. The ISP’s web server has the IP address 205.1.28.6. The following rules perform the web redirection and the blocking of all non-web traffic:

ADD FIREWALL POLICY=ISP RULE=298 INTERFACE=vlan1 ACTION=NAT

NATTYPE=REVERSE PROTOCOL=TCP PORT=80 GBLREMOTE=205.1.28.6

ADD FIREWALL POLICY=ISP RULE=299 INTERFACE=vlan1 ACTION=DENY

PROTOCOL=ALL

Once a user has arranged payment, a rule can be added that specifies the IP address that the ISP has assigned to the user, allowing the user full access to the service. The following is an example of such a rule. The user has been allocated the IP address 10.8.0.172. It is important that the rule number is lower than the blocking and redirecting rules, because rules are tried in order from the lowest rule number until a match is found. A low number will ensure that the allow rule will be applied if appropriate, rather than any of the other rules.

ADD FIREWALL POLICY=ISP RULE=5 INTERFACE=vlan1 ACTION=ALLOW

IP=10.8.0.172 PROTOCOL=ALL

If the ISP wishes to take advantage of the time limited rules feature, allowing the user to have access for 30 minutes, the following rule would be used instead.

ADD FIREWALL POLICY=ISP RULE=5 INTERFACE=vlan1 ACTION=ALLOW

IP=10.8.0.172 PROTOCOL=ALL TTL=0:30

Further Examples

Firewall and IPsec Tunnel

Enhanced NAT can facilitate routing across an IPsec tunnel, when one end of the tunnel has separate IPsec and default gateways (Figure 5 on page 20). In the following example, the router at the LAN 1 end of the tunnel has an IP address of 192.168.2.100, and the LAN 2 end of the tunnel has an IP address range of 192.168.1.1-192.168.1.100. The IP address of traffic originated by LAN 1 hosts is translated to 192.168.1.53, using the command (applied to the private eth0 interface of the LAN 1 gateway router):

ADD FIREWALL POLICY=zone1 RULE=7 ACTION=NAT NATTYPE=ENHANCED

INT=eth0 PROTOCOL=all IP=192.168.2.0-192.168.2.255

REMOTEIP=192.168.1.1-192.168.1.100 GBLIP=192.168.1.53

The traffic will appear to devices on LAN 2 to originate locally. When a PC in the subnet 192.168.1.1-192.168.1.100 tries to reply to a packet from a host in LAN 1 (subnet 192.168.2.0), the IPsec gateway will reply to the PC’s ARP request with proxy ARP. The packet will be successfully routed through the tunnel instead of through the default gateway.

Software Release 2.3.1 C613-10325-00 REV B

Page 18 Page 20
Image 19
Page 18 Page 20
Contents Software Release Hardware Platforms IntroductionRapier i Series Hot Swapping Network Service Modules Hot swap an NSM out of an NSM bay Software Features NSM Hot Swap Software Support Example output from the Show Interface commandDNS Caching Domain Name Server EnhancementsServer Selection Telnet Server Port Number Automatic Nameserver ConfigurationTriggers for Ethernet Interfaces Enco Channels IP Security IPsec Source Interface Enhancements Ospf on Demand Isdn Interface-based NAT Paladin Firewall EnhancementsRule-based NAT Time Limited Rules New Command SyntaxRelease Note Software Release Required parameters for Firewall NAT rules Parameters Web Redirection with Reverse NAT RulesFirewall and IPsec Tunnel Further ExamplesStandard NAT Show Output Paladin Firewall Http Application Gateway ProxyHttp Filters Firewall Http Proxies and Firewall PoliciesADD Firewall POLICY=zone1 HTTPFILTER=banned.htp Http Cookies Show Firewall Policy Firewall Policy DebuggingHttp Proxy Filter File Vrrp Port MonitoringWhere Stepvalue is a decimal number in the range 1 to Border Gateway Protocol 4 BGP-4 Internet Protocol IP IP and Interface CountersTo reset IP interfaces, use the command Example output from the Show IP COUNTER=INTERFACE command Example output from the Show IP COUNTER=SNMP command Telephony PBX Functionality Errata Telnet Server Bandwidth LimitingEnable Telnet Server InstallationRelease Note
Top Page Image Contents