Translation Of Multiple Ip Addresses (M:n) - D-Link NetDefend DFL-210 User Manual

7.3.2. Translation of Multiple IP
Addresses (M:N)
• lan_ip (10.0.0.1): the D-Link Firewall's private internal IP address
• wwwsrv (10.0.0.2): the web servers private IP address
• PC1 (10.0.0.3): a machine with a private IP address
The order of events is as follows:
• PC1 sends a packet to wan_ip to reach "www.ourcompany.com":
10.0.0.3:1038 => 195.55.66.77:80
• NetDefendOS translates the address in accordance with rule 1 and forwards the packet in accordance with
rule 2:
10.0.0.3:1038 => 10.0.0.2:80
• wwwsrv processes the packet and replies:
10.0.0.2:80 => 10.0.0.3:1038
This reply arrives directly to PC1 without passing through the D-Link Firewall. This causes problems. The reason
this will not work is because PC1 expects a reply from 195.55.66.77:80, not 10.0.0.2:80. The unexpected reply is
discarded and PC1 continues to wait for a response from 195.55.66.77:80, which will never arrive.
Making a minor change to the rule set in the same way as described above, will solve the problem. In this
example, for no particular reason, we choose to use option 2:
# Action Src Iface
1 SAT any
2 NAT lan
3 Allow any
• PC1 sends a packet to wan_ip to reach "www.ourcompany.com":
10.0.0.3:1038 => 195.55.66.77:80
• NetDefendOS address translates this statically in accordance with rule 1 and dynamically in accordance with
rule 2:
10.0.0.1:32789 => 10.0.0.2:80
• wwwsrv processes the packet and replies:
10.0.0.2:80 => 10.0.0.1:32789
• The reply arrives and both address translations are restored:
195.55.66.77:80 => 10.0.0.3:1038
In this way, the reply arrives at PC1 from the expected address.
Another possible solution to this problem is to allow internal clients to speak directly to 10.0.0.2 and this would
completely avoid all the problems associated with address translation. However, this is not always practical.

7.3.2. Translation of Multiple IP Addresses (M:N)

A single SAT rule can be used to translate an entire range of IP addresses. In this case, the result is a
transposition where the first original IP address will be translated to the first IP address in the
translation list and so on.
For instance, a SAT policy specifying that connections to the 194.1.2.16/29 network should be
translated to 192.168.0.50 will result in transpositions as per the table below:
Original Address
194.1.2.16
194.1.2.17
194.1.2.18
194.1.2.19
194.1.2.20
194.1.2.21
Src Net Dest Iface Dest Net
all-nets core wan_ip
lannet any all-nets
all-nets core wan_ip
294
Chapter 7. Address Translation
Parameters
http SETDEST wwwsrv 80
All
http
Translated Address
192.168.0.50
192.168.0.51
192.168.0.52
192.168.0.53
192.168.0.54
192.168.0.55