Computers & Hardware > Networking

New network setup with group isolation issues

(1/3) > >>

re0:
Hi Kitz Forum!

I recently setup a new network on a new broadband connection with multiple isolated groups, which was pretty much identical to the previous setup in the sense that it is using the same router (Billion 8800AXL R2) and the same devices. The only real change to the internal network is the addition of a new group which is to be used for devices exposed through the one-to-one NAT (such as VMs which have been moved to it).

I thought it was all perfect until I came across a “problem” yesterday where I could not access one of my Virtual Machines via one of my external IP addresses from my PC, despite it being correctly configured in the one-to-one NAT, and despite it working from accessing the internal IP on my second network adapter (so it is certainly reachable). External websites could ping and port scan. I tried the external IP address on my smartphone using mobile data and it could reach the webpage and SSH and, quite surprisingly, I discovered that my wireless devices (which also includes the smartphone) could also access the services running on the VM with the external IP address.

Of course, at this point, I was a bit perplexed. So I did try for the remainder of yesterday and most of today so far to try and diagnose the issue to “why” externally it was possible and “why” from wireless devices it was possible, but before I continue babbling I should provide enough network information to give a better-than-vague overview of the network (although please bear in mind that some of the information may be for the sake of example).

So here are the groups in [Group] ([Name]) – [Address/Netmask] – [LAN FW] format (please note that every group is isolated):

Group 1 (Default) – 10.0.0.0/24 – LAN side firewall DISABLED
Group 2 (VM) – 10.0.1.0/24 – LAN side firewall ENABLED
Group 3 (WLAN) – 10.0.2.0/24 – LAN side firewall ENABLED

So with every group isolated, they will not be able to contact each other (or at least not directly).

Since I have a couple static IP addresses, I wanted to one-to-one NAT one with one of my VMs so I could expose it to the internet. For example, a VM is running in Group 2 (VM) on 10.0.1.1:

Ext.: 123.123.123.123 – Int.: 10.0.1.1 on ppp1.1 interface with no Exceptional Rule Group

To build up one of the previous paragraphs mentioning which devices were working and not:

Group 1:
PC – NO
Server – NO

Group 2:
Same PC as above – YES

Group 3:
Smartphone – YES
Laptop – YES

Checking the logs on the VM, any time a device from either Group 2 or 3 made a connection to any of the services, it could log the gateway device as the source (10.0.1.254 for the former and 10.0.2.254 for the latter). But there was no evidence of devices from Group 1 even contacting any of the services.

I did some further experimentation and setup the same external IP address through the one-to-one NAT for the server in Group 1, then I could reach it via the external IP address no issue from my PC (though I can admit NOT seeing whether the source was the gateway or the device IP, but I imagine the former), but with this change the devices on the other groups could not contact it.

So I thought a lot about it, and thought it cannot be the groups isolation as the other isolated groups work fine (and it is mandatory that I instate this functionality for my network). I thought to try adding another isolated group (Group 4), but add this one without a LAN side firewall (like the default group). I was not surprised but baffled when that also did not work when trying to access the VM on Group 2 via the external IP address.

I tried a few other changes, such as disabling the LAN side firewall and to my surprise this caused the existing devices in other groups to not be able to contact the VM using the external IP address. I also noticed that re-enabling it did not rectify the issue without a reboot of the router. So I went ahead and configured the networking something like below and rebooted:

Group 1 (Default) – 10.0.0.0/24 – LAN side firewall DISABLED
Group 2 (VM) – 10.0.1.0/24 – LAN side firewall ENABLED
Group 3 (WLAN) – 10.0.2.0/24 – LAN side firewall ENABLED
Group 4 (Test) – 10.0.3.0/24 – LAN side firewall ENABLED

I put the PC on Group 4, and success – it was able to reach the services via the external IP address. Of course, the source was showing as 10.0.3.254.

Of course, the quick and dirty fix for this issue would be to simply just make an entry in the hosts file on every device in Group 1 with the internal IP address (which is reachable through the 2nd adapter locally) and the domain name in used for the external IP address. But I do not necessarily plan to use a domain for every external IP address if at all in the future.

So the results from this experimentation is that the LAN side firewall simply does not allow connection to the VM via the external IP address. But why is this happening and how to resolve it? I know a bit about networking, but I cannot see how the LAN side firewall being off actually creates the issue.

The TL;DR version:
LAN side firewall being disabled prevents accessing the external IP address (configured through the one-to-one NAT) for another device on the network which is isolated through group isolation that otherwise works when the firewall is enabled.

If anyone could provide some insight to what I can do to resolve this issue, it would be much appreciated.

re0

burakkucat:
Welcome to the Kitz forum.  :)

As for your current problem, I have carefully read through the details and, to be honest, I feel somewhat lost. We do have members well versed in networking, so hopefully one of them will be able to make some suggestions.

re0:
Hi burakkucat,

Thanks for the warm welcome.

I do ramble on, so being lost would certainly be reasonable in any case regardless of whether it is typing or in conversation (I like to think of myself of being precise, but I am the complete opposite at the moment!). Perhaps if I had drawn something crummy in paint it would be have better illustrated the point.

I did check through all the details, but I rushed it just before posting because I was in a hurry. There may be a few discrepancies, but the ultimate goal is to try and see why disabling the LAN side firewall while the group isolation is in place prevents access to the external IP address which is in a one-to-one NAT with a device in a different group and how to get around this (since I still need access to the router settings).

I continued looking into this late yesterday evening and night with someone else and we finally looked at IP filtering. So far, it looks like enabling the LAN side firewall on the group and creating rules in both the inbound and outbound (for forwarding) filtering for the IP addresses and interfaces that need to access it allows access to both the external IP address and the router interface.

Now I am just bemused that when modifying the LAN side firewall to the on state (in a case where it is turned off) either requires a reboot of the router or for group isolation to be turned off and back on in order for access to the external IP address. I honestly do not know what the expected behaviour of this should be.

Either way, it would certainly be appreciated if someone knows a better way to do it since I am not a half-job type of person. But if this is the best way, then I can pat myself on the back and just get back to sorting out the VMs!

re0

d2d4j:
Hi re0

I started to read your post last night but gave up sorry

Is this home or business and could I ask why you need such a setup

I take it groups are vlans but one worry is I do not think your router has multiple firewalls unless you mean you setup global all rules to allow traffic sorry

If your connecting from internal to your external ip, it should not go live over internet as router is aware of both internal and external ip, so should deal with it at router level. Setting rules would work but kinda breaks isolation if you see what I mean. Hence why I asked why do you need it setup that way.

Many thanks

John

re0:
Hi John,

I can understand why you gave up – it was not a very precise piece of information now I look back on it. I did rush it a bit towards the end, which I can only apologise for.

It's a home network, but with potentially unnecessary segmentation (although this is subjective – I feel it is necessary). For me, it’s just so I can setup a network with multiple external IPs and isolate groups to reduce the risk and impact of being compromised.

The groups are configured under “Interface Grouping” on the router, which I imagine are not too dissimilar from VLANs. Each group is isolated and running on different local IP ranges.

In regards to firewalls, I was simply talking about LAN side firewalls. As quoted from the router manual (http://www.billion.uk.com/esupport/index.php?/Knowledgebase/Article/View/413/123/bipac-8800axl-r2-full-user-manual, page 65):


--- Quote ---LAN side firewall: Enable to drop all traffic from the specified LAN group interface. After activating it, all incoming packets by default will be dropped, and the user on the specified LAN group interface can't access CPE anymore. But, you can still access the internet service. If user wants to manage the CPE, please turn to IP Filtering Incoming to add the allowing rules. Note that all incoming packets by default will be dropped if the LAN side firewall is enabled and user cannot manage this CPE from the specified LAN group.
--- End quote ---

So, I have enabled the LAN side firewall for each group:
- To restrict access to the router interface (IP filtering is in place to allow one machine access)
- Because if the LAN side firewall is disabled then pinging or attempting to access resources on the external IP address (which is on a one-to-one NAT in a different group) will essentially fail

Any devices configured through the one-to-one NAT will require their own firewall to be enabled (as with the DMZ), which I understand.

I understand that attempting to connect to an additional external IP address that is on the same router should not go “live over the internet”, but the point I was trying to make previously was that with the LAN side firewall disabled there are issues connecting to the additional external IP address. The only way I have managed to get this all working with Interface Grouping also enabled is by enabling the LAN side firewall on the main LAN which was disabled before – would this be normal?

In reference to IP filtering rules, I have had to use these on the local network as I needed to allow access from one local device to the internal router IP address for the router interface (no, I am not allowing it to be accessed externally).

I can only hope this clarifies the situation.

re0

Navigation

[0] Message Index

[#] Next page