Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 11 replies
  • Subscribers 40 subscribers
  • Views 3243 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Setting up RED

Wolfgang Ritter1

Ich habe eine Konfiguration von einer XG mit RED15 und dabei funktionieren ein paar Netzwerk anfragen nicht. Die Konfiguration habe ich gemacht wie beschrieben und hatte auch schon Hilfe bei der Firewall. Ich habe zwei DHCP Server in der XG aufgesetzt; eines für das LAN und eines für das RED verbunden mit dem Interface "RED". Der AD / DNS ist auf einem Windows Server.

Zu den RED Settings habe ich eine Frage zum Feld "Zone". Bei mir ist LAN gesetzt, aber ich könnte auch RED wählen.

RED Settings:

 

Das RED Interface sieht soweit auch gut aus:

Die Firewall Regel hat folgende Re

Kann mir jemand sagen, was der Unterschied ist, wenn ich in der RED network settings die Zone "RED" anstatt "LAN" verwende. Hilft es, wenn ich die Zone von "LAN" zu "RED" ändere. Die Firewall "denied" die Kommunikation von RED 192.168.11.19 auf 192.168.10.255 Port 138.

Die Regel RED to LAN gibt keine Eingrenzungen vor ausser dem Interface.

Danke
Wolfgang



This thread was automatically locked due to age.
Parents
  • 0

    Sorry, habe einen kleinen Fehler eingebaut. Es geht um die Ablehnung einer Kommunikation zwischen 192.168.11.19 und 192.168.11.255.

    Wolfgang

  • FormerMember
    0 FormerMember in reply to Wolfgang Ritter1

    Hi Wolfgang Ritter1,

    You can configure RED device with any custom zone or predefined zones on the firewall, so you can put the RED network in RED or LAN zone and configure firewall rules accordingly. 

    I see you have selected Rewrite source address under Advanced, you only need it for internet access for RED network. If you are having issue connecting to the local devices from the RED network, please remove the masquerading and WAN from the destination network and try to access internal network.

    Thanks,

  • 0 in reply to FormerMember

    Hi Patel

    I removed the NAT feature and i got the same error.

    I also found out that i have the same error between my IP-address 192.168.10.19 and 192.168.10.255. I have on both subnet a NAS.

    I changed also changed the destination zone from LAN, WAN to LAN and i got the same result.

    In my Rule is only the source and destination zone limited. All other fields are set to Any or Any.... I thougt in such a case all IP addresses, ports and services are allowed.

    Port1 and reds1 are both member of the LAN Zone.

    Btw, i understand that the LAN and RED Zone just defines which services are activated.

    Wolfgang

  • FormerMember
    0 FormerMember in reply to Wolfgang Ritter1

    Hi Wolfgang Ritter,

    The log entry you provided is for port 138, is there any legitimate traffic being dropped? Can you provide full page log entry for source and destination IP addresses and do not filter logs for rule id "0". 

    Thanks,

  • 0 in reply to FormerMember

    Hi Patel

    here my log view the newest on top, lost my timestamp.

    Log_Viewer.xlsx

    Wolfgang

  • 0 in reply to Wolfgang Ritter1

    Broadcast Traffic will be dropped.

    XG will deny such traffic, because broadcast is most likely not wanted in other networks. 

    https://en.wikipedia.org/wiki/Broadcasting_(networking)

    So if you want to hide such drops, you can disable the logging of broadcast Traffic in the ACLs or you can build a Network Bridge between RED and LAN. 

    But a network bridge has some disadvantages 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    I try to find out, why my clients doesn't update the reverse lookup zone at my DNS Server (MS Server 2019) on my networks (192.168.10.0 and 192.168.11.0) linked with the RED. I tried already a more complex thread but this thread is at a dead end. Now i try it with simples step to step analysing with help from the community.

    Another point is that my laptop doesn't get the GPO's from my AD behind the RED.

    I don't need broadcast information if they are not necessary for AD and DNS.

    I am more than happy to take this message out of the log but at moment i try to log everything to find any hint for a solution.

    Disable logging of broadcast Traffic in the ACLs, where will i do it?

    I found for me two solutions:

    1. Disable of SNMP in "Administration" - "Device Access"
    2. Disable of Local ACL in "System Settings" - "Log settings"

    One idea from my side is to change the netmask, so that 192.168.10.0 until 192.168.11.255 are all in one net. But i don't know if that will help to solve my AD/DNS problem. First step to eliminate all errors which i think they are.

    Thanks

  • 0 in reply to Wolfgang Ritter1

    XG is the DNS Server for the RED? 

    Did you create a DNS request route for your internal AD domain?

    You need to tell XG to forward your specific Domain to your DC. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    I have a DNS request route and it points to my windows server.

    What does mean under DNS - "Obtain DNS from DHCP"?

    1. Is the DHCP my DHCP Server at the firewall or
    2. does it mean the DHCP Client which gets the information from my provider (WAN)
  • 0 in reply to Wolfgang Ritter1

    Your Clients behind RED will properly get the IP Addresses by XG. 

    But your Domainname is properly wrong.

    DNS Request route needs to have the Domainname (with top level domain). 

    __________________________________________________________________________________________________________________

Reply
  • 0 in reply to Wolfgang Ritter1

    Your Clients behind RED will properly get the IP Addresses by XG. 

    But your Domainname is properly wrong.

    DNS Request route needs to have the Domainname (with top level domain). 

    __________________________________________________________________________________________________________________

Children
  • 0 in reply to LuCar Toni

    My domain name is "wostdo.local" Netbios "wostdo".

    XG works as DHCP Server for the RED network 192.168.11.0/24 and also for (what ever you want to say) the XG internal network 192.168.10.0/24.

    So far i think is it ok. One for the RED and one for the XG.

    For the XG i have the same settings with a different IP Range.

    My AD is also correct with the top level domain WOSTDO.LOCAL.
    The XG DHCP Servers are also working according the IP4 Leases:

    Perhaps the DHCP isn't working correctly. Could it be that i have to define XG gateway 192.168.10.1 also on the RED side instead of 192.168.11.1?

Unfiltered HTML