I need to create a “DMZ” with its own subnet to hold a reverse proxy server which will sit in front of a public facing web server.
The reverse proxy will have an IP of 192.169.1.xxx
The rest of the LAN is on 10.0.0.xxx
How do I get the Balance 380 to forward WAN traffic to the reverse proxy, and to also route the proxy forward to the web server at 10.0.0.xxx ?
Thanks for any advice
Bill
Create a VLAN for the DMZ 192.168.1.0/24
Port forward in the usual way ports 443/80 from one of your WAN IPs to the IP in that VLAN you have given the Proxy (ie 192.168.1.100)
Then create a firewall ruleset that blocks all ports to and from the web proxy apart from those needed for it to function (ie only traffic from 192.168.1.0/24 destined to the IP of the web server at 10.0.0.100 on ports 80/443. Block everything else.
Then your new VLAN is acting as a DMZ.
Martin,
Thanks for the help!
I’ve got it set up and can ping from the 10.0.0.xxx to 192.168.1.xxx, but not the other way. Seems I am missing something here. Before I point a public IP at the Reverse Proxy I wanted to be sure I can connect to the required server at 10.0.0.xxx
Suggestions?
Thanks again,
Bill
Martin,
Correction. I cannot ping either way. I expected that with “Inter-VLAN routing” enabled I would be able to connect to the server at 192.168.1.xxx from 10.0.0.xxx
Missing something in my settings. Any idea what?
Thanks,
Bill
For now, set internal firewall rules to any/any allow so that we know the firewall isn’t the cause. Login to the web server and the proxy and ping the Balance 380 IP on their VLANs own.
Then login to the balance and use the ping tool in the webadmin to prove you can ping both the web server and the proxy.from the router.
Make sure both devices have got their default gateways set to be the Balance 380 too.
Then check the software firewall logs on the webserver - often when using a private IP they will block all traffic apart from that which originates from the same subnet.
Hi Martin,
I really appreciate the help but still am having problems. I’ll try and be as complete as possible.
The Peplink 380 is using version 6.3.4 build 3613
The main network is 10.0.0.xxx
I added the vlan subnet 192.168.10.xxx
I added a new internal firewall rule with logging enabled to try and see what is happening
The logs show this, which is a ping from my Win10 PC to the Server, but the ping times out with no response
Here is an attempt to SSH to the server. Also no response
I setup another PC on my LAN with IP of 192.168.10.100
This PC can ping and connect to the server at 192.168.10.10, but it cannot connect to the internet or to any 10.0.0.xxx device.
Here are some ping test results via the Balance380 (from 10.0.0.254)
And here are ping test results via the Balance380 (from 192.168.10.254)
Any more advice or ideas will be appreciated!
Thanks,
Bill
Do you have anything else on the 192.168.10.0/24 network or is it just a single web server?
Is the Balance doing DHCP on both LANs?
What’s the default gateway set to on the 192.168.10.10 server?
Hey Martin,
The server has 192.168.10.254 as gateway
DHCP is not enabled on the vlan subnet
The server at 192.168.10.10 will be the only device. It will become a reverse proxy. I did setup a win10 pc at 192.168.10.100 for testing. It cannot see any 10.0.0.xxx devices either.
Thanks!
Bill
Setup looks good. Everything is pointing to either a network misconfiguration on the Web server or some sort of software firewall that is blocking access.
I would likely run a network capture on the web server (or on the balance) and prove that traffic is getting to the web server from the other LAN (but being rejected) to confirm this.
Hello Martin,
Thanks for looking at it. I’ll try and see if Wireshark can help diagnose the traffic.
The Balance is connected to a Netgear GS748Tv3 Switch
A NetGear GS116 Switch connects to the GS748Tv3
The Proxy Sever and the Test PC connect to a the GS116 switch
This topic was automatically closed 182 days after the last reply. New replies are no longer allowed.
