D-Link NetDefend DFL-210 User Manual page 134

4.2.1. The Principles of Routing
Route #
4
The above routing table provides the following information:
• Route #1
All packets going to hosts on the 192.168.0.0/24 network should be sent out on the lan interface.
As no gateway is specified for the route entry, the host is assumed to be located on the network
segment directly reachable from the lan interface.
• Route #2
All packets going to hosts on the 10.4.0.0/16 network are to be sent out on the dmz interface.
Also for this route, no gateway is specified.
• Route #3
All packets going to hosts on the 195.66.77.0/24 network will be sent out on the wan interface.
No gateway is required to reach the hosts.
• Route #4
All packets going to any host (the all-nets network will match all hosts) will be sent out on the
wan interface and to the gateway with IP address 195.66.77.4. That gateway will then consult its
routing table to find out where to send the packets next.
A route with the destination all-nets is often referred to as the Default Route as it will match all
packets for which no specific route has been configured. This route usually specifies the
interface which is connected to the public internet.
When a routing table is evaluated, the ordering of the routes is important. In general, a routing table
is evaluated with the most specific routes first. In other words, if two routes have destination
networks that overlap, the narrower network definition will be evaluated prior to the wider one (in
other words, the network that is contained within the other has priority).
In the above example, a packet with a destination IP address of 192.168.0.4 will theoretically match
both the first route and the last one. However, the first route entry is a narrower, more specific
match so the evaluation will end there and the packet will be routed according to that entry.
The Local IP Address Parameter
The correct usage of the Local IP Address parameter can be difficult to understand so additional
explanation can be helpful.
Normally, a physical interface such as lan is connected to a single network and the interface and
network are on the same network. We can say that the network is bound to a physical interface and
clients on the connected network can automatically find the NetDefend Firewall through ARP
queries. ARP works because the clients and the NetDefendOS interface are part of the same
network.
A second network might then be added to the same physical interface via a switch, but with a new
network range that doesn't include the physical interface's IP address. We would say that this
network is not bound to the physical interface. Clients on this second network won't then be able to
communicate with the NetDefend Firewall because ARP won't function between the clients and the
interface.
To solve this problem we would add a new route to NetDefendOS which would have the following
parameters:
Interface Destination
wan
134
Chapter 4. Routing
Gateway
all-nets 195.66.77.4