I have currently one network (192.168.0.0/24) on port 1.
I need onother network now (10.203.16.160, 255.255.255.240) connected to port 2, which only has connection to the network on port 1 and NO connection to the internet via Wan1.
If somebody opens a browser and keying in a ip address 10.203.16.162 this box on port 2 should be reachable from 192.168.0.0/24 via http (web site provided by this box). The box on 10.203.16.160, 255.255.255.240 shouldn't be able to access the internet via Wan1.
If somebody uses standard internet pages like bing.at or whatever from 192.168.0.0/24 should get routed via Wan1 as usual here.
I currently use NAT mode, not classical routing.
Any idea how to get this running, if it is possible?
Thanks for helping.
With best regards
Gerhard
Model: FVS336Gv3|ProSafe dual WAN gigabit firewall with SSL and IPSec VPN
as I wrote I use the FVS336Gv3, the rest were normal PCs running Win 7. The box we have to add now is some strange box provided by our health care system, running some kind of Linux I think.
I do tests yesterday, They offer a network 192.168.1.0 and you have to be in there, sending an request to 10.203.16.162 and getting a web page.
My computers have to use a different net and a different internet connection. So I need the request sended from 192.168.0.0 routed to 192.168.1.0. I hope two Vnets with routing between VNets enabled will do this for me.
At port 1 is my local net, this should be kept without changes.
Now I have to connect to a network provided by the governments health care. This net uses a different local network.
They placed a router, which transforms traffic from 192.168.16.x to 10.203.16.x. This is the address of a box they provide and this box runs some web server providing a web page we have to use. This box is installed locally. They also route traffic over a separete internet connection, we can't use.
So I plan to connect this net to port 2 of the FVS336Gv3 and set the VLAN properties accordingly, with inter route between the two ports enables.
My need: Access of computers in 192.168.0.x (potr 0), our local network, to 192.168.16.x(port 1) and the router which translates everything to 10.203.16.x, but the FVS336Gv3 should not route this packages to the public internet. Or if, is this a problem getting errors, cause there is no such server out?
Or should I use a router between 192.168.0.x and 192.168.16.x and if yes, which one? This router will have no internet connection and so there is no problem sending the 10.203.16.x packets elswhere.
So far as I can see, there is no connections between the VLANS 192.168.0.0 and 192.168.16.0.
I configured correct port membership and inter VLAN routing.
Bad luck, think there is no NAT done between this two ports/nets, so it doesnt work out.
Any Idea how to have a routing between two nets 192.168.16.0 and 192.168.0.0, with NAT so that I can reach a box in the ..16.. range with a PC in the ..0.. range?
You may want to look at this video tutorial. You have already done creating the profiles and enabled Inter-VLAN routing, next is to configure the rules.
this video tells me how to configure rules to get requests from outside. My problem is that I need a NAT translation between VLANS. A machine in VLAN1 send a request and this request has to be translated into the address range of VLAN2 so it looks like as a machine in VLAN 2 has sent this request.
I have now two network interfaces on my machine, and the computer has route entries to use the correct interface for the current requests. This works out. No VLAN or what ever else. This has also the advantage, that this special packets can't leak into the WAN. The disadvantage is more hardware to use.
Maybe there is a chance to have it with the FVS336Gv3 anyway, but I dont think, that there is NAT between VLANS active.
Both VLANs have NAT (this explains why computers on each VLAN can go online). I do not see any option on the FVS336Gv3 to translate a request from one VLAN to the other VLAN's address range. So I would say that this may not be possible as of the moment.
I still think it would be good with a graphical view of your network.
Anyways, I have an idea for how to work around this but I'd need to set it up in the lab to test if it works. I'll see if I have time to get it done today, otherwise I'll try it out over the weekend.
I'm a bit confused by all IPs mentioned in your posts, but am I right in understanding that you want to: Be able to access a website hosted on 10.203.16.160 from the 192.168.0.0/24 network. But 10.203.16.160 will only respond to requests coming from a 192.168.16.0/24 address? At the same time you don't want the 10.203.16.160 server to access the Internet through your WAN1.
If that is the case, I'm pretty sure I can get a working setup for you.
but that is exactly what I need. My computer in address range 192.168.0.x should look as it is a computer in 192.168.16.x if it try to access 10.203.16.162, which is NOT on the internet. This is a box hehind a router (which I dont have access to). There is definetly no reason to route requests from 192.168.16.x to the internet through WAN1 or 2, in opposite, this route path should be blocked!!
I only use WAN1. I have tried to use WAN2 for this job, but it stays 'down', and later I discovered that I can change the method for detecting errors to ping, so I know that maybe this is an option.
You should be able to set this up using the WAN2 port, but you'll need to enable load balancing otherwise you can only have one WAN interface active at the time.
Set WAN2 IP settings static in the 192.168.16.x range, Default gateway needs to be the IP of the server's 192.168.16.x-range IP.
Then you need to steer traffic, so you can use protocol protocol binding to create rules saying that:
*Any traffic going for 10.203.16.160/28 should go out WAN2
*Any other traffic should go out WAN1
In order to avoid the WAN2 connection being marked as down, go to advanced settings and change failure detection method to "None".
This way you will be able to reach the server, as you go out WAN2 you will be NATed to a 192.168.16.x address. Devices connected to WAN2 (so the server) will not be able to access the Internet through the FVS WAN1.
It took two outbound firewall rules to make this work.. Something that confused me a bit is that Outbound firewall rules are apparently processed from bottom to top rather than from top to bottom.
Anyways I set them up like this:
[1] ANY service from ANY source to ANY destination NAT with WAN1
[2] ANY service from ANY source to 10.10.10.0/24 NAT with WAN2
(once again, note the order)
I noted that after a reboot it does take some time before the rules kick in (up to 5 minutes).
With this set up, I can ping the FVS336Gv2's LAN interface (10.0.0.1) from any PC connected to the LAN of the FVS336Gv3. The traffic will be NATed to 192.168.16.1 before hitting FVS336Gv2. If I try to access anything other than the 10.0.0.0/24 network it will go out WAN1 interface (so, to the Internet). The FVS336Gv2 will not be able to access the Internet through the FVS336Gv3.
Important addition to my previous post (since I can't seem to edit the post).
I noted that if you change the order of the two rules while there are PCs connected you will have some weird issues; Some PC traffic going out the right WAN interface but NATed with wrong IP (or not NATed at all). I solved it by simply unplugging the PC ethernet cable and then plugging it back in, but I guess that just ipconfig /release and then renew would be enough. Rebooting the FVS should solve it too.
