Static Routing - D-Link NetDefendOS User Manual

in this second network must also have their Default Gateway set to 10.2.2.1 in order to reach the
NetDefend Firewall.
This feature is normally used when an additional network is to be added to an interface but it is
not desirable to change the existing IP addresses of the network. From a security standpoint,
doing this can present significant risks since different networks will typically be joined together
through a switch which imposes no controls on traffic passing between those networks. Caution
should therefore be exercised before using this feature.
All Traffic Must have Two Associated Routes
Something that is not intuitive when trying to understand routing in NetDefendOS is the fact
that all traffic must have two routes associated with it. Not only must a route be defined for the
destination network of a connection but also for the source network.
The route that defines the source network simply says that the source network is found on a
particular interface. When a new connection is opened, NetDefendOS performs a check known
as a reverse route lookup which looks for this route. The source network route is not used to
perform routing but instead as a check that the source network should be found on the interface
where it arrived. If this check fails, NetDefendOS generates a Default Access Rule error log
message.
Even traffic destined for Core (NetDefendOS itself ), such as ICMP ping requests must follow this
rule of having two routes associated with it. In this case, the interface of one of the routes is
specified as Core.

4.2.2. Static Routing

This section describes how routing is implemented in NetDefendOS, and how to configure static
routing.
NetDefendOS supports multiple routing tables. A default table called main is predefined and is
always present in NetDefendOS. However, additional and completely separate routing tables can
be defined by the administrator to provide alternate routing.
Extra, user-defined routing tables can be used in two ways:
• Virtual Routing associates interfaces with a particular routing table. This enables a single
NetDefendOS installation to act as multiple virtual systems. Communication between these
systems is achieved with Loopback Interfaces (see Section 4.5, "Virtual Routing" and also
Section 3.4.9, "Loopback Interfaces").
• Policy Based Routing Rules can be defined which decide which of the routing tables will
deal with certain types of traffic (see Section 4.3, "Policy-based Routing").
The Route Lookup Mechanism
The NetDefendOS route lookup mechanism has some slight differences to how some other
router products work. In many routers, where the IP packets are forwarded without context (in
other words, the forwarding is stateless), the routing table is scanned for each and every IP
packet received by the router. In NetDefendOS, packets are forwarded with state-awareness, so
the route lookup process is tightly integrated into the NetDefendOS stateful inspection
mechanism.
When an IP packet is received on any of the interfaces, the connection table is consulted to see if
there is an already open connection for which the received packet belongs. If an existing
connection is found, the connection table entry includes information on where to route the
packet so there is no need for lookups in the routing table. This is far more efficient than
290
Chapter 4: Routing