Enabling Internet Access; Non-Transparent Mode Internet Access - D-Link NetDefend DFL-210 User Manual

4.7.2. Enabling Internet Access

alternative method is to enable transparent mode directly on an interface (a check box for this is
provided in the graphical user interfaces). When enabled in this way, default switch routes are
automatically added to the routing table for the interface and any corresponding non-switch routes
are automatically removed. This method is used in the detailed examples given later.
High Availability and Transparent Mode
Switch Routes cannot be used with High Availability and therefore true transparent mode cannot be
implemented with a NetDefendOS High Availability Cluster.
Instead of Switch Routes the solution in a High Availability setup is to use Proxy ARP to separate
two networks. This is described further in Section 4.2.5, "Proxy ARP". The key disadvantage with
this approach is that firstly, clients will not be able to roam between NetDefendOS interfaces,
retaining the same IP address. Secondly, and more importantly, their network routes will need to be
manually configured for proxy ARP.
Transparent Mode with DHCP
In most Transparent Mode scenarios, the IP address of users is predefined and fixed and is not
dynamically fetched using DHCP. Indeed, the key advantage of Transparent Mode is that these
users can plug in anywhere and NetDefendOS can route their traffic correctly after determining their
whereabouts and IP address through ARP exchanges.
However, a DHCP server could be used to allocate user IP addresses in a Transparent Mode setup if
desired. With Internet connections, it may be the ISP's own DHCP server which will hand out public
IP addresses to users. In this case, NetDefendOS MUST be correctly configured as a DHCP Relayer
to forward DHCP traffic between users and the DHCP server.
4.7.2. Enabling Internet Access
A common misunderstanding when setting up Transparent Mode is how to correctly set up access to
the public Internet. Below is a typical scenario where a number of users on an IP network called
lannet access the Internet via an ISP's gateway with IP address gw-ip.
Figure 4.12. Non-transparent Mode Internet Access
The non-switch route usually needed to allow Internet access would be:
Route type
Non-switch
Now lets suppose the D-Link Firewall is to operate in transparent mode between the users and the
ISP. The illustration below shows how, using switch routes, the D-Link Firewall is set up to be
transparent between the internal physical Ethernet network (pn2) and the Ethernet network to the
ISP's gateway (pn1). The two Ethernet networks are treated as a single logical IP network in
Transparent Mode with a common address range (in this example 192.168.10.0/24).
Interface Destination
if1
171
Chapter 4. Routing
Gateway
all-nets gw-ip