how-to block ads
|
|
Uniqs:
326 |
Share Topic
 |
 |
|
|
|
ZW_Joe
join:2005-10-08
San Anselmo, CA
1 edit | USG100 - NAT Confusion Finally pushing all my servers under the comfy USG100. I feel I have a fair understanding on creating Address Objects, NAT rules, and Firewall rules. I love how you can group objects, and create one firewall rule! So much cleaner!
However, I've stumped or psyched myself on this one given it's not a one to one, or direct connection.
I have 6 servers I want to grant RDP privileges to certain WAN IP addresses. On the old trusty ZW2+ I'd do a port map from say port 7700 -> 3389 and then tell it what IP to go to, such as below, and create a firewall rule for the allowed IP addresses.
7000 -> 3389, 192.168.1.100
7100 -> 3389, 192.168.1.101
What would be a clean and smart way to accomplish this on the USG100?
-Joe | | |
|
 AnavSarcastic Llama? Naw, Just AcerbicPremium
join:2001-07-16
Dartmouth, NS
kudos:3 | Re: USG1I 00 - NAT Confusion Okay not being RDP savvy.....
A. why a port map, will not all clients using RDP at their computer plug in port 3389?
B. How do you know which server to route an RDP request into? (if you have six servers behind the router).
I will assume perhaps that you give each client a specific RDP port to use, when it comes into the router, it reads the incompoing port and sends it to port 3389 of the corresponding server IP address. That way you get around the limitation of one to one port forwarding for one particular IP. (ie 3 people could access server IP.100 because they enter in from ports 7000 to 7002 - all mapped to 3389 on that server.
I suppose you could accomplish something similar using Public IP attached to private IP of the server. In this case you would need at least 6 public IPs mapped to six private IPs. All you would need is a firewall rule for each server delineating which IPs are allowed to access which servers(and not worry about port mapping - all users would setup the standard 3389). Clients would be given the WANIP of the server they are supposed to access (or dyndns name).
Anyway this is pure conjecture cause I dont know how it works but it seems to me using public IPs to private IPs would be much simpler than all this port mapping. The port mappings of course will also need firewall rules.
As for the how to.......... I do my port forwarding in the configuration main menu selection. There you select INTERFACE and sub-selection NAT. Under NAT, on the main view, select virtual interface and ensure you use port mapping type and then you can select original port and mapped port etc......
If you had multiple IPs instead of virtual server you would select one to one NAT or Many one to one NAT (contiguous numbering assumed) instead of virtual interface.
--
Ain't nuthin but the blues! "Albert Collins".
Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner"
LlamaWorks Equipment | |
ZW_Joe
join:2005-10-08
San Anselmo, CA | Re: USG100 - NAT Confusion
Network Layout & Remote Users | 
NAT Port Mapping | 
Firewall Settings |
We have multiple IPs for the Production Servers and do WAN to IP mapping. But we have a farm of development (soon to be production) servers. They want to RDP into specific servers as we build out this farm. The remote users all have static IPs, so we know who to let in via the Firewall rule.
We create a series of port mappings 7700->3389, 7800:3389, etc. and map them to one specific LAN IP. So if you want RDP to WebServer - 3, you'd type 50.50.50.51:7900. Oops, I realize I made a mistake on the names on the "Firewall Settings" screen shot. Should be WebServer1, Webserver2, WebServer3 and WebServer4.
Hopefully this makes more sense.
Joe | |
|
