Hi i have just set up a RB1100 and have some configuration problems.
I want the subnets to NOT be able to talk directly to eachother. And if possible to route the traffic between the subnets via their public IP’s.
so for a client in subnet 10.99.99.0/24 to access the ftp-server on 10.24.7.2. The client would connect to 1.2.3.246:21 and the traffic should flow as any other user from the outside would.
if this isn’t possible (but hey, everything is possible with RB right?) i want to drop everything between the subnets exept specified allowed services, through the firewall i guess.
the reason that i want to do everything through the public IP’s is that i don’t want to set up specific DNS records for the local nets to access websites, ftp-servers, mailservers etc on every subnet.
IP Addresses
I have the following networks set up atm, were 0,2,14,15 are local nets for different subnets and the rest are public IP’s
# ADDRESS NETWORK BROADCAST INTERFACE
0 ;;; ndLocal - lan
10.24.1.1/24 10.24.1.0 10.24.1.255 ether3 - ndLocal
1 ;;; Standard IP for routes
1.2.3.241/28 1.2.3.240 1.2.3.255 ether12 - wan1
2 ;;; ndVerkstad - lan
10.99.99.1/24 10.99.99.0 10.99.99.255 ether6 - ndVerkstad
3 ;;; ndLocal & ndGuest - wan
1.2.3.242/28 1.2.3.240 1.2.3.255 ether12 - wan1
4 ;;; ndHosting - wan
1.2.3.243/28 1.2.3.240 1.2.3.255 ether12 - wan1
5 ;;; ndVerkstad - wan
1.2.3.244/28 1.2.3.240 1.2.3.255 ether12 - wan1
6 ;;; ndDmz1 - wan
1.2.3.245/28 1.2.3.240 1.2.3.255 ether12 - wan1
7 ;;; ndDmz2 - wan
1.2.3.246/28 1.2.3.240 1.2.3.255 ether12 - wan1
8 1.2.3.247/28 1.2.3.240 1.2.3.255 ether12 - wan1
9 1.2.3.249/28 1.2.3.240 1.2.3.255 ether12 - wan1
10 1.2.3.250/28 1.2.3.240 1.2.3.255 ether12 - wan1
11 1.2.3.251/28 1.2.3.240 1.2.3.255 ether12 - wan1
12 1.2.3.252/28 1.2.3.240 1.2.3.255 ether12 - wan1
13 1.2.3.253/28 1.2.3.240 1.2.3.255 ether12 - wan1
14 10.0.0.1/24 10.0.0.0 10.0.0.255 ether4
15 ;;; ndDmz2 - lan
10.24.7.1/24 10.24.7.0 10.24.7.255 ndDmz2.124
IP Firewall NAT
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; ndDmz2 src
chain=srcnat action=src-nat to-addresses=1.2.3.246 src-address=10.24.7.0/24 out-interface=ether12 - wan1
1 ;;; ndDmz2 - ftp
chain=dstnat action=dst-nat to-addresses=10.24.7.2 to-ports=21 protocol=tcp dst-address=1.2.3.246 dst-port=21
2 ;;; ndDmz2 - ftp data
chain=dstnat action=dst-nat to-addresses=10.24.7.2 to-ports=1401-1410 protocol=tcp dst-address=1.2.3.246 dst-port=1401-1410
3 ;;; ndVerkstad src
chain=srcnat action=src-nat to-addresses=1.2.3.244 src-address=10.99.99.0/24 out-interface=ether12 - wan1
4 ;;; ndLocal src
chain=srcnat action=src-nat to-addresses=1.2.3.242 src-address=10.24.1.0/24 out-interface=ether12 - wan1
5 ;;; ndGuest src
chain=srcnat action=src-nat to-addresses=1.2.3.242 src-address=10.0.0.0/24 out-interface=ether12 - wan1
6 ;;; ndHosting src
chain=srcnat action=src-nat to-addresses=1.2.3.243 src-address=10.24.5.0/24 out-interface=ether12 - wan1
7 ;;; masquerade all
chain=srcnat action=masquerade out-interface=ether12 - wan1
IP Firewall Filter
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; accept established
chain=forward action=accept connection-state=established in-interface=ether12 - wan1
1 ;;; accept related
chain=forward action=accept connection-state=related in-interface=ether12 - wan1
2 ;;; drop invalid
chain=forward action=drop connection-state=invalid connection-type=""
3 ;;; detect hackers
chain=forward action=jump jump-target=detect_hackers
4 ;;; ndDmz2 - Services
chain=forward action=jump jump-target=ndDmz2 - Services dst-address=10.24.7.2
5 ;;; accept established
chain=input action=accept connection-state=established in-interface=ether12 - wan1
6 ;;; accept related
chain=input action=accept connection-state=related in-interface=ether12 - wan1
7 ;;; drop invalid
chain=input action=drop connection-state=invalid connection-type=""
8 ;;; detect hackers
chain=input action=jump jump-target=detect_hackers
9 ;;; allow acces to rb from safe address-list
chain=input action=accept protocol=tcp dst-address=1.2.3.241 src-address-list=safe dst-port=8291,22
10 ;;; drop everything elses
chain=input action=drop in-interface=ether12 - wan1
11 ;;; drop invalid out
chain=output action=drop connection-state=invalid
12 ;;; drop everything to known hackers
chain=output action=jump jump-target=drop_hackers
13 ;;; detect ftp bruteforcers
chain=output action=jump jump-target=detect_hackers_ftp
14 ;;; accept all out
chain=output action=accept
15 ;;; allow smtp from webroot
chain=ndLocal action=accept protocol=tcp src-address=194.116.198.0/23 dst-port=25
16 ;;; allow smtp from webroot
chain=ndLocal action=accept protocol=tcp src-address=208.87.136.0/23 dst-port=25
17 ;;; allow smtp from webroot
chain=ndLocal action=accept protocol=tcp src-address=203.100.58.0/24 dst-port=25
18 ;;; drop rest smtp for ndLocal
chain=ndLocal action=drop protocol=tcp dst-port=25
19 ;;; accept pptp
chain=ndLocal action=accept protocol=tcp dst-port=1723
20 ;;; accept pptp
chain=ndLocal action=accept protocol=udp dst-port=1723
21 ;;; accept gre for pptp
chain=ndLocal action=accept protocol=gre
22 ;;; accept sharepoint
chain=ndLocal action=accept protocol=tcp dst-port=987
23 ;;; accept https
chain=ndLocal action=accept protocol=tcp dst-port=443
24 ;;; accept smtp for ndhosting
chain=ndHosting action=accept protocol=tcp dst-port=25
25 ;;; accept pop3 & imap4 ndhosting
chain=ndHosting action=accept protocol=tcp dst-port=143,110,995,587,993
26 ;;; accept pptp ndhosting
chain=ndHosting action=accept protocol=tcp dst-port=1723
27 ;;; accept sharepoint ndhosting
chain=ndHosting action=accept protocol=tcp dst-port=987
28 ;;; accept GRE ndhosting
chain=ndHosting action=accept protocol=gre
29 ;;; accept http ndhosting
chain=ndHosting action=accept protocol=tcp dst-port=80
30 ;;; accept https ndhosting
chain=ndHosting action=accept protocol=tcp dst-port=443
31 ;;; ndDmz2 - FTP
chain=ndDmz2 - Services action=accept protocol=tcp dst-port=21,1401-1410
32 ;;; echo reply
chain=icmp action=accept protocol=icmp icmp-options=0:0
33 ;;; net unreachable
chain=icmp action=accept protocol=icmp icmp-options=3:0
34 ;;; host unreachable
chain=icmp action=accept protocol=icmp icmp-options=3:1
35 ;;; allow source quench
chain=icmp action=accept protocol=icmp icmp-options=4:0
36 ;;; allow echo request (limited by pps and size)
chain=icmp action=accept protocol=icmp icmp-options=8:0 limit=10,5 packet-size=5-156
37 ;;; allow time exceed
chain=icmp action=accept protocol=icmp icmp-options=11:0
38 ;;; allow parameter bad
chain=icmp action=accept protocol=icmp icmp-options=12:0
39 ;;; drop other icmp
chain=icmp action=drop protocol=icmp
40 ;;; drop everything from known hackers
chain=detect_hackers action=jump jump-target=drop_hackers
41 ;;; detect ssh brute forcers
chain=detect_hackers action=jump jump-target=detect_hackers_ssh protocol=tcp dst-port=22
42 ;;; detect ftp brute forcers
chain=detect_hackers action=jump jump-target=detect_hackers_ftp
43 ;;; add Port scanners to list
chain=detect_hackers action=add-src-to-address-list protocol=tcp psd=21,3s,3,1 address-list=hacker_port-scanner address-list-timeout=2w
44 ;;; add Port scanners to list (NMAP FIN Stealth scan)
chain=detect_hackers action=add-src-to-address-list tcp-flags=fin,!syn,!rst,!psh,!ack,!urg protocol=tcp address-list=hacker_port-scanner address-list-timeout=2w
45 ;;; add Port scanners to list (SYN/FIN scan)
chain=detect_hackers action=add-src-to-address-list tcp-flags=fin,syn protocol=tcp address-list=hacker_port-scanner address-list-timeout=2w
46 ;;; add Port scanners to list (SYN/RST scan)
chain=detect_hackers action=add-src-to-address-list tcp-flags=syn,rst protocol=tcp address-list=hacker_port-scanner address-list-timeout=2w
47 ;;; add Port scanners to list (FIN/PSH/URG scan)
chain=detect_hackers action=add-src-to-address-list tcp-flags=fin,psh,urg,!syn,!rst,!ack protocol=tcp address-list=hacker_port-scanner address-list-timeout=2w
48 ;;; add Port scanners to list (ALL/ALL scan)
chain=detect_hackers action=add-src-to-address-list tcp-flags=fin,syn,rst,psh,ack,urg protocol=tcp address-list=hacker_port-scanner address-list-timeout=2w
49 ;;; add Port scanners to list (NMAP NULL scan)
chain=detect_hackers action=add-src-to-address-list tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg protocol=tcp address-list=hacker_port-scanner address-list-timeout=2w
50 ;;; add ssh brute forcers to hacker_ssh-bruters for 10days
chain=detect_hackers_ssh action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage3 address-list=hacker_ssh-bruters
address-list-timeout=1w3d dst-port=22
51 ;;; ssh brute forcers the third stage
chain=detect_hackers_ssh action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage2 address-list=ssh_stage3 address-list-timeout=1m
dst-port=22
52 ;;; shh brute forcers the second stage
chain=detect_hackers_ssh action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage1 address-list=ssh_stage2 address-list-timeout=1m
dst-port=22
53 ;;; ssh brute forcers the first stage
chain=detect_hackers_ssh action=add-src-to-address-list connection-state=new protocol=tcp address-list=ssh_stage1 address-list-timeout=1m dst-port=22
54 ;;; allow 5 logon tries via ftp per minute before block
chain=detect_hackers_ftp action=accept protocol=tcp src-address=10.24.7.2 content=530 Not logged in (Password incorrect). dst-limit=1/1m,3,dst-address/1m
55 ;;; add ftp-user to hackers 23h45m
chain=detect_hackers_ftp action=add-dst-to-address-list protocol=tcp src-address=10.24.7.2 address-list=hacker_ftp-bruters address-list-timeout=23h45m
content=530 Not logged in (Password incorrect).
56 ;;; Drop portscanners
chain=drop_hackers action=drop src-address-list=hacker_port-scanner
57 ;;; Drop ssh brute forcing hackers
chain=drop_hackers action=drop src-address-list=hacker_ssh-bruters
58 ;;; Drop ftp brute forcing hackers
chain=drop_hackers action=drop src-address-list=hacker_ftp-bruters