Support /
Knowledge Base

Examples

Allow Clients from Private Address Space Access to the Internet

This is the bread and butter of network administrators: allow its internal clients to access the Internet when the corporation has only one public IP address assigned by its Internet Service Provider. Since Syneto has a policy to drop any connection that is not explicitly allowed, you must to define at least an accept rule from its internal network. The policy may be more permissive or more restrictive based on a diverse range of factors. In order for an internal machine to navigate on the Internet, it has to be allowed at least these services:

  • DNS (UDP or TCP port 53) – Domain Name Service (domain)
  • HTTP (TCP port 80) – HyperText Transport Protocol (www)
  • HTTPS (TCP port 443) – Secure HyperText Transport Protocol (https)

 

Figure 1. Allowing clients from private space access Internet

This hypothetical network layout is presented in Figure 1. With this picture in mind, you should configure the Syneto appliance following the next guidelines:

(1) Configure ethernet interfaces and routing

  • Navigate to System -> Interfaces and configure eth0 to have IP 1.1.1.2/24
  • Navigate to System -> Interfaces and configure eth2 to have IP 192.168.1.1/24

Figure 2. Configure ethernet interfaces

  • Navigate to System -> Gateway and configure the gateway 1.1.1.1 to be on interface eth0; make sure the gateway is also activated

Figure 3. Configure a gateway

(2) Create a service group (Definitions -> Service Groups) containing
the three services above: domain, www and https; Name this group:
Internal Services.

Figure 4. Define a service group

(3) Create a filtering rule (Packet Filtering > Filters menu):

  • ‘Source network’: eth2
  • ‘Destination Network’: any
  • ‘Service’: Internal Services
  • ‘Source Interface’: eth2
  • ‘Destination Interface’: eth0
  • ‘Filter Action’: ACCEPT

 

Figure 5. Define a filtering rule for the host from internal network

(4) Create a SNAT rule (Network Address Translation > Source Nat):

  • ‘Source Network’: eth2
  • ‘Destination Network’: any
  • ‘Service’: Internal Services
  • ‘Source Interface’: any
  • ‘Destination Interface’: eth0

Figure 6. Define a SNAT rule

(5) Configure DHCP Server: navigate to DHCP > IP Range, define the range of IPs and the configuration the server will serve to its clients:

  • ‘Interface’: eth2
  • ‘Gateway’: 192.168.1.1
  • ‘DNS’: 2.2.2.2
  • ‘Start IP’: 192.168.1.100
  • ‘Stop IP’: 192.168.1.254

Allow Access from Internet to Internal Servers

After the internal clients have been allowed to access Internet services, the administrator might want to setup an internal server to be accessible from the internet. This server might be any kind of TCP/IP server (FTP, HTTP, SMTP, etc …).
 

Figure 7. A more complex network layout featuring a server in the internal network

Assuming the network layout from Figure 7, the administrator will implement the following configuration:

(1) Add host definition for the Internal FTP Server: 192.168.1.10 (FTP_Server)

(2) Add host definition for external interface IP: 1.1.1.2 (External_IP)

(3) Add DNAT:

  • ‘Source Network’: any
  • ‘Destination Network’: External_IP
  • ‘Service’: ftp
  • ‘Source Interface’: eth0
  • ‘Dnat to Host’: FTP_Server
  • ‘Dnat to Port’: 21

 

Figure 8. Add a DNAT rule for an FTP server from internal

(4) Add filter to accept connections to the FTP Server:

  • ‘Source Network’: any
  • ‘Destination Network’: FTP_Server
  • ‘Service’: ftp
  • ‘Source Interface’: eth0
  • ‘Destination Interface’: eth2
  • ‘Filter Action’: ACCEPT

 

Figure 9. Adding a filtering rule to allow traffic to the DNAT-ed FTP server

It is right to use FTP_Server as filter’s destination instead of External_IP, since the filters are applied after DNAT has changed the packet’s destination.