RV220W

Linksys, Netgear, sonicwall, ect. Webbase configurations for routers.
Guest

RV220W

Post by Guest » Sat Dec 04, 2010 1:53 pm

The manual states:This gateway supports multi-NAT, and the Internet Destination IP address does not necessarily have to be the WAN address. On a single WAN interface, multiple public IP addresses are supported. If your ISP assigns you more than one public IP address, one of these can be used as your primary IP address on the WAN port, and the others can be assigned to servers on the LAN or DMZ. In this way, the LAN/DMZ server can be accessed from the internet by its aliased public IP address.My IPS provides me with 5 IP addresses say x.y.z.1-5 I can use. My WAN interface has address x.y.x.1 So, I thoughtInternet Destination meant that I can make rules like:SMTP allow and send to internal address 192.168.1.a and internet destination is x.y.z.2 So, I thought I could do multiple-NAT-forwarding as inx.y.z.2:25 -> 192.168.1.a:25x.y.z.3:80 -> 192.168.1.b:80 But this seems not to work at all. Have I misunderstood things here? Can I only do port forwarding from my WAN IP. And if I want to use multiple servers on the inside I must either expose them fully to the internet or they must all be getting their traffic through my WAN IP?

Guest

Re:RV220W

Post by Guest » Sat Dec 04, 2010 2:20 pm

I noticed that One-to-One NAT is able to link the other WAN IPs to internal servers. I also noticed that this seems to bypass the firewall (if I remove the SMTP allow rule from the IPv4 rules, it still is passed through via One-to-One NAT). So, I am wondering what security risks I run if I remove these forwarders from the IPv4 rules in the firewall and add them to One-to-One NAT. Does the firewall work only on the WAN IP address? So, if I use One-to-One NAT, is my protection on those public IPs/internal services reduced to effectively only NAT? What about anti-flood attacks and all the other niceties of a proper firewall?

Guest

Re:RV220W

Post by Guest » Sat Dec 04, 2010 2:55 pm

If implemented correctly, traffic goingthrough 1-to-1 NAT should be firewalled similar totraffic going through port forwarding from the routers WAN IP. Computers exposed to the internet via Port Forwarding and 1-to-1 NAT should be protected by the stateful packet inspection mechanism of the firewall. To use 1-to-1 NAT, you would need multiple public addresses from your ISP.

Guest

Re:RV220W

Post by Guest » Sat Dec 04, 2010 3:54 pm

Thank you. Ive noticed a very nasty other problem, though which nullifies completely DNS Blacklist checking (DNSBL). The RV220W changes the originating IP address of NAT-ted packets via (at least) One-to-One to the IP address of the RV220W,  thus completely nullifying DNSBL checks on spam. Very nasty and something my old Linksys WAG54G2 was doing right. Im linking here to the other discussion set up for this. https://supportforums.cisco.com/thread/2078130?tstart=0

Post Reply