D-Link NetDefend DFL-210 User Manual page 315

7.4.7. SAT and FwdFast Rules
We will now try moving the NAT rule between the SAT and FwdFast rules:
# Action
1 SAT
2 SAT
3 NAT
4 FwdFast
5 FwdFast
What happens now?
• External traffic to wan_ip:80 will match rules 1 and 4, and will be sent to wwwsrv. Correct.
• Return traffic from wwwsrv:80 will match rules 2 and 3. The replies will therefore be
dynamically address translated. This changes the source port to a completely different port,
which will not work.
The problem can be solved using the following rule set:
# Action
1 SAT
2 SAT
3 FwdFast
4 NAT
5 FwdFast
• External traffic to wan_ip:80 will match rules 1 and 5 and will be sent to wwwsrv.
• Return traffic from wwwsrv:80 will match rules 2 and 3.
• Internal traffic to wan_ip:80 will match rules 1 and 4, and will be sent to wwwsrv. The sender
address will be the NetDefend Firewall's internal IP address, guaranteeing that return traffic
passes through the NetDefend Firewall.
• Return traffic will automatically be handled by the NetDefend Firewall's stateful inspection
mechanism.
Src Iface Src Net
any all-nets
lan wwwsrv
lan lannet
any all-nets
lan wwwsrv
Src Iface Src Net
any all-nets
lan wwwsrv
lan wwwsrv
lan lannet
lan wwwsrv
Dest Iface Dest Net
core wan_ip
any all-nets
any all-nets
core wan_ip
any all-nets
Dest Iface Dest Net
core wan_ip
any all-nets
any all-nets
any all-nets
any all-nets
315
Chapter 7. Address Translation
Parameters
http SETDEST wwwsrv 80
80 -> All SETSRC wan_ip 80
All
http
80 -> All
Parameters
http SETDEST wwwsrv 80
80 -> All SETSRC wan_ip 80
80 -> All
All
80 -> All