dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
533
share rss forum feed

deancollinsb

join:2013-06-09

WAN to ANY

If my first rule is WAN to ANY(excluding zywall) how come I cant view my IIS server from outside on the internet, shouldn't ANY service mean everything on my lan?



Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:4

First rule of thumb DO NOT change zywall default rules.

(for example if there is default rule with any to any ALLOW that you want to narrow down then place a new rule on top of this that could state for example any to any DENY.)

Second rule of thumb be accurate in your purpose and use of firewall rules. Clearly stated you have a requirement for a LAN computer to be visibile and thus you should be using a WAN to LAN rule (or LAN1 or LAN2) depending upon your router and setup.

You should NOT be using a WAN to any rule. I dont even know why that is there and perhaps someone with more acumen can trump in........

Lastly, if you have a single WanIP (not multiple public IPs of which one is set to your Server directly) then you will need to create a NAT, virtual server rule (port forwarding) as well as the associated FW rule WAN to LAN1.

--
Ain't nuthin but the blues! "Albert Collins".
Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner"

LlamaWorks Equipment


deancollinsb

join:2013-06-09

this was a new rule in location 1 so as its WAN to ANY it should pass ALL traffic through to my sbs2003 box.

why isn't it doing this?



Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:4

1 edit

If I knew the purpose of Wan to Any, I would have stated it in my previous post. You need a Wan to Lan firewall rule (and most likely a virtual server rule).

I can only lead the horse to water, if it chooses not to drink it will die of dehydration. :-P



Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:10
Reviews:
·TekSavvy DSL
·Bell Fibe
reply to deancollinsb

said by deancollinsb:

If my first rule is WAN to ANY(excluding zywall) how come I cant view my IIS server from outside on the internet, shouldn't ANY service mean everything on my lan?

WAN-to-ANY is a firewall rule. For viewing the servers you need to setup NAT (Virtual server a.k.a. port forwarding) and potentially policy routing depending on the complexity of your setup.


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:4

Brano, when would one use a WAN to ANY rule vice a Wan to LAN1 rule??



Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:10

Really depends on your specific need. Let's say you want to enable ping to all your servers in DMZ, LAN and ZyWALL with one rule you'd use WAN-to-ANY for PING.


deancollinsb

join:2013-06-09

ok that makes sense, so you would enable ping from wan to any - but if I put "any" service in there shouldn't everything pass through the zyxell?

eg with my network eg Cable modem from time warner - USG 100 - SBS2003 with DNS server - switch - with multiple IIS servers /apache etc etc with multiple internal ip addresses

The FQDN are all registered with no-ip.com as such all come to the same timewarner IP address.

Basically if I say any then the zyxel unit should be "see through" and my single 192.16.16.2 ip address should allow the dns to route to the almost 30 different websites I have working currently (eg before I installed the zyxel unit)



Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:10
Reviews:
·TekSavvy DSL
·Bell Fibe

said by deancollinsb:

route to the almost 30 different websites I have working currently

I'm guessing all the sites are on one server, correct?

deancollinsb

join:2013-06-09

at the moment cable modem - ext nic of sbs 2003, then dns on the sbs 2003 server which determines if its the IIS on the sbs server OR if to send it out the internal nic of the sbs 2003 to 24 port switch to one of the other servers

(the majority of the 30 websites are primarily on a second server but i'm about to start messing around with VMware which means there will be a lot more virtual servers.....so peoples suggestions of using 1 port per website is just silly).



Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:10
Reviews:
·TekSavvy DSL
·Bell Fibe

1 edit

OK man, apples and oranges. You're talking about Layer 7 application gateway also known as reverse proxy server. You can still have this same setup with USG firewall in front of it, nothing is changing.
You can use the SBS for reverse proxy or alternatively Nginx or Apache in reverse proxy mode.



Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:4

said by Brano:

OK man, apples and oranges. You're talking about Layer 7 application gateway also known as reverse proxy server. You can still have this same setup with USG firewall in front of it, nothing is changing.
You can use the SBS for reverse proxy or alternatively Nginx or Apache in reverse proxy mode.

PLUS

If all the 30 sites are on one physical server then ZyWall can handle this easily ... basic setup.

If these 30 sites are split between let's say two physical SBS servers then you need a) either two WAN IPs or b) have half the sites that point to 2nd server run on alternate port.

For the DNS approach you'd need deep packet inspection for HTTP and perhaps get it working, but that won't work with HTTPS and you're back to basics.

Okay so I understand, regardless of the number of websites or stuff going in with these servers, they receive all their traffic over a single port?? Thus requiring one port forwarding rule and one firewall rule? If running a second server that port needs to run on a separate port and thus a second port forwarding rule and associated firewall rule?

(or a second public IP (and only fw rule) just for that second server assuming the first one is using the routers WANIP.

I imagine we are talking port 80 for all web traffic, so since most people are not going to be using an alternate port, the second IP is a more logical and obvious choice?

Alternately perhaps................
- can a dydns type address point to the right IP and ALSO CHANGE PORT?? which would be ideal if it could for the second server.

If this was true then it would be too easy to create a port fowarding rule and fw rule for the new port pointing to the second server

OR
Now the zywall can redirect in incoming port to port 80 for the second server without conflict.

ie port 8080 to port 80 for example alleviating need for different port on second server. Since we now have a directed destination LANIP to use for the fw rule there should be no conflict with port 80 going to two different LANIPs.

Obviously the first solution is probably easier but perhaps the second is useful as I do not know how web servers work.
--
Ain't nuthin but the blues! "Albert Collins".
Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner"

LlamaWorks Equipment


Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:10

You could do the alternate ports but you'd have to tell all your users/clients to use the port ... impractical.


deancollinsb

join:2013-06-09

1 edit
reply to Anav

You cant get more than 1 ip address on Time Warner residential broadband.....so that's not a solution either.