Appendix C: Multiple Public Ip Addresses - D-Link DFL-1100 User Manual

Appendix C: Multiple Public IP addresses

Mapping of a Public IP address other than that of the Firewall to a Server located on either
internal interface can be accomplished in two basic steps (order does not matter): add a Port
Mapping/Virtual Server rule that forwards specified services to a single LAN or DMZ host to
be accessible through a WAN IP not used by the DFL-1100; add a static route in the firewall's
routing table indicating the internal interface to which the Public IP should be mapped. For an
increased level of protection from Network Intrusions or malicious attacks, isolation of servers
accessible to the public from the Private network is recommended. This will ensure that if one
of those servers happens to become compromised through vulnerabilities related to software,
an attacker would not be able to directly access the private internal Network. The DFL-1100
provides a physical DMZ network interface specifically for this purpose.
accomplished with NAT disabled or enabled on the DMZ interface.
Example Scenario using NAT:
The firewall is configured using the following scheme in order to allow Internet hosts
access to web services running on either the internal LAN or DMZ Network
The goal is to map two internal web servers (port 80) to two Public IP addresses provided
by our ISP.
Host Interface
Firewall LAN
Firewall DMZ
Web Server on LAN
Web Server on DMZ
Private IP
192.168.2.1
192.168.10.1
192.168.2.50
192.168.10.100
126
This can be
Public IP
80.80.80.80
80.80.80.80
80.80.80.81
80.80.80.82