So inbound rules are needed anyways?


#1

Hi Guys,

I have a Peplink balance deployed in NAT mode with firewall behind it and servers behind firewall.

INTERNET ==> Peplink ==> FIrewall ==> Servers

So do I need to define Inbound rules anyways? Or even NAT Mappings will do and no need to define Inbound rules.


#2

There is no need to define firewall rules out of the box, as the default rule for both inbound and outbound traffic is to allow all.


#3

Nah I am not talking about Firewall Rules; I am talking about Inbound access for my servers which are behind firewall. Say for example if I just do the nat mapping for 192.168.10.2 with 2.2.2.2 do I need to defined Inbound access as well? Implementing Inbound access means I am implementing rules on peplink instead I’ll just nat and let the entire traffic come inside I can control on the firewall, what say?


#4

If you have a NAT map there is no need for inbound service rules. Typically with additional public IP addresses on the WAN interface you would do a 1-1 map to the outside IP addresses on your firewall. Inbound service rules would normally be used to forward specific ports from the WAN interface IP address itself to your firewall.


#5

Hey Ron,

So what about outbound NAT or masquerade? I mean again pertaining to my topology since natting wont be enabled on firewall I’ll just let pass the traffic from firewall to Peplink and then configure the outbound rule for entire range on peplink? Is this a right approach?

Plus how about 1-1 nat for outbound rules as well. I mean see if I have range 192.168.2.0 behind firewall which has a mail server in it and 192.168.2.0 is completely natted or masqueraded to talk to Internet my outbound traffic would work but what if I have mail server 192.168.2.50 from same range which should be statically natted which one will override? Outbound nat for entire range or Static NAT for 192.168.2.50

INTERNET===>[2.2.2.2[PEP-LINK]10.1.1.1]]====>[10.1.1.2[FIREWALL]192.168.2.1]]=========LAN192.168.2.0/24 and mail server 192.168.2.50

192.168.2.0/24 NATTED with 2.2.2.2 [Peplink outbound IP]
192.168.2.50 NATED WITH 2.2.2.5


#6

Hi,

Perform NAT at Balance and filter at firewall should be fine.

By default Balance will performs many-to-one NAT for Outbound traffics. E.g. 192.168.2.0/24 NAT to 2.2.2.2 (Assume this is WAN IP).

For 1-to-1/Static NAT, you need do the steps below:-

  1. Go Network -> WAN -> Select WAN interface. Below is the example:-


  1. Go Network -> NAT Mappings -> Add NAT Rule. Below is the example:-


Hope this help.


#7

Ah perfectly…thanks a lot guys for elaborated explanation.