Hi there,
I am working on a setup for a client that has a /27 from the ISP, for the illustation of it, I will call this 2.2.2.0/27
It is assigned to them as a subnet with 2.2.2.0 as network, 2.2.2.1 as gateway, and 2.2.2.31 as broadcast.
I have setup a bridge “servers” of ETH4 and ETH5, where ETH4 is on the outside, and ETH5 is on the inside, connecting their servers.
I have assigned the IP-address 2.2.2.2 to ETH4, to be able to access the router from the outside.
Now in bridge filters, I have created the filters:
/interface bridge filter
add chain=forward dst-port=3389 in-interface=ETH4 ip-protocol=tcp mac-protocol=ip
add action=drop chain=forward in-interface=ether13 mac-protocol=ip
I can logon to the terminal server, but I cannot access anything from it. I cannot ping anything on the internet, nor browse any webpages.
How can I open up for access to the outside from this server?
Thank you.
/Ulrich
if you drop all, you have to open all the traffic you want to use. eg port 80 (and 443) to browse web. Your rule say, drop all, but open for rdp. If you want anything else to happening, you have to tell the bridge filter what to do. Eg, open for tcp port 80.
ITs possible to do this with your bridge firewall setup, but still a bit more complex, with less function than just using regular firewall. How about asking the isp, to route the /27 your self?
Hi samsung172,
Thank you for your reply!
Could I use regular firewall for a bridge? If so how?
I have asked already, and unfortunately ISP is not willing to deliver the IP’s in any other way.
Cheers,
Ulrich
From the GUI: Bridge / Settings / Use IP Firewall.
Ok, so can I simple create rules in “/IP Firewall” like I normaly do with that setting set?
Is there something I need to be aware of?
Could I make the following then?
add chain=forward dst-address=2.2.2.0/27 dst-port=3389 protocol=TCP
add action=drop chain=forward dst-address=2.2.2.0/27
As this thread started, how can I make sure that I am able to browse the internet from the server behind these rules?
Thx.
/Ulrich