Joined: 09 Oct 2002
Location: Lausanne, Switzerland
|Posted: Wed Oct 09, 02 17:30 Post subject: How do I add Virtual IP addresses?
|A good description of the adding Virtual IP addresses is in the Reference Manual's NAT & PAT Chapter. Also check the sample configurations on the Support web site.
This is done on the NAT>Global Page (3.4 or higher) or the MISC>NAT (<3.4) page. Below is a summary of this being done in 5 different ways.
all web requests for 126.96.36.199 are redirected internally to 10.0.1.1:80
all web requests for 188.8.131.52 are redirected internally to 10.0.1.2:80
all web requests for 184.108.40.206 are redirected internally to 10.0.1.3:80
all TCP requests for 220.127.116.11-18.104.22.168 are redirected to 10.0.1.4:80
all traffic (including ICMP) to 22.214.171.124 are redirected to 10.0.1.4
a) to make virtual IP's respond to pings you must NAT all traffic to that IP address. If you need security on that connection you can make filtering rules to further limit traffic.
b) your ISP must indeed be routing these additional IP's to you through your configured WAN interface. Firmware 3.3 and higher allow Proxy ARP, which is needed for Virtual IP on statis IP addresses. Firmware below 3.3 required the ISP to have static routes to get the other external IP addresses sent to the Firewall.
c) you must activate NAT on the LAN interface and use NAT Global rules or add static routes on the workstation for reaching the Virtual IP's. In Windows this would take the syntax of C:\>route add x.x.x.x mask 255.255.255.255 y.y.y.y where x.x.x.x is the Virtual IP address un the MISC>NAT page and y.y.y.y is the interface of the MultiCom Firewall that your workstation is attached to. Future firmware versions will have a DNS server that can be configured with the domain name.
d) there is an issue in the Configurator software below version 3.2 that affects MISC>NAT rules. If you receive the following error message - "ERROR: 'To port' NAT field must be defined when mapping is different from masquerade" you must do one of the following:
In 3.1, the MISC>NAT table has a mistake in it. The default TO_PORT field is equal to 0 when it should be equal to "0-65535". You must manually enter in this number in the TO_PORT. Your number will be replaced by the words ANY (as in example #5) but the value will have been changed to 0-65535. After this change you can save the configuration to the MultiCom Firewall or to a file.
In OS 3.0.1 you cannot make a MISC>NAT rule for ANY protocol without entering a specific port to send it to. The main reason you would want to do this is to ping through the Ethernet II. If you want to enter this rule you must enter it in the MISC>NAT table and enter 0-65535 in the To_Port field, open the Edit Config, copy all of the config, open the Ethernet II web server, go to the edit config window, paste the configuration into that window. The reason is that you cannot save these configs to file or to the Ethernet II from the Configurator.
e) you will need to additionally turn on NAT for the interfaces you wish to use these NAT rules... i.e. for making virtual IP reachable from the Internet you must enable NAT on the WAN interface (and optionally the firewall). For the LAN users to use the public addresses to reach those same servers you must also enable NAT on the LAN interface, otherwise they will have to use the LAN address to reach them (like 10.0.0.2)
f) before firmware 3.3 only the actual IP address of the interface (WAN, LAN, DMZ) could respond to an ARP address... no IP aliases. That means that you will need to have static routes to get the other IP addresses to the Firewall. Firmware 3.3 and higher offer Proxy ARP to solve this problem.
Screenshot of the above configuration...