I have wingate with 3 NIC's.
No.1 for Internal Lan.
No.2 for Exrenal Lan.
No.3 for DMZ.
I want to run a www and ftp server in the dmz, to service external Internet requests.
I assume that I would have the DMZ ip's as a private ip address range, and use tcp mapping to get external Internet requests to get to this address range?
What's the difference, if I do this, to having only 2 Nic's, and putting the www and ftp server behind wingate on my internal LAN?
Explain how to setup a DMZ
Moderator: Qbik Staff
13 posts
• Page 1 of 1
Explain how to setup a DMZ
by inthesands » Sep 09 04 11:35 am
- inthesands
- Posts: 36
- Joined: Sep 07 04 7:42 pm
by labull » Sep 09 04 2:26 pm
With a DMZ - if they hack a system there they only have access to the systems in the DMZ.
If they hack a system on your LAN - very bad things could happen to all the systems on your LAN.
Larry
If they hack a system on your LAN - very bad things could happen to all the systems on your LAN.
Larry
WinGate Lurker
- labull
- WinGate Guru
- Posts: 710
- Joined: Sep 06 03 1:03 am
- Location: Washington, DC - USA
by adrien » Sep 09 04 4:15 pm
Hi
WinGate DMZ works in a fairly specific way. For starters, because we don't know what sort of systems will be run on the machines in the DMZ, we required that IP traffic between the Internet and the DMZ be routed. This means no address translation is performed for traffic going between a machine on a DMZ interface, and a machine on an external interface (i.e. the Internet). Avoiding Address translation means we avoid all the issues with application protocol support, so absolutely anything IP based should run in the DMZ.
This means that machines on the DMZ subnet must have public IP addresses in order to be accessible from the Internet, and in this capacity, WinGate acts as a router with rules/firewall between the DMZ subnet and the Internet.
If you want to run protected servers, but not have them have their own public IP addresses, you would put them on a subnet where the WinGate adapter was marked as "internal", then it will perform NAT for these machines out to the Internet, and you would create pinholes in the WinGate firewall to redirect incoming connections from the Internet through to these machines.
Adrien
WinGate DMZ works in a fairly specific way. For starters, because we don't know what sort of systems will be run on the machines in the DMZ, we required that IP traffic between the Internet and the DMZ be routed. This means no address translation is performed for traffic going between a machine on a DMZ interface, and a machine on an external interface (i.e. the Internet). Avoiding Address translation means we avoid all the issues with application protocol support, so absolutely anything IP based should run in the DMZ.
This means that machines on the DMZ subnet must have public IP addresses in order to be accessible from the Internet, and in this capacity, WinGate acts as a router with rules/firewall between the DMZ subnet and the Internet.
If you want to run protected servers, but not have them have their own public IP addresses, you would put them on a subnet where the WinGate adapter was marked as "internal", then it will perform NAT for these machines out to the Internet, and you would create pinholes in the WinGate firewall to redirect incoming connections from the Internet through to these machines.
Adrien
- adrien
- Qbik Staff
- Posts: 5448
- Joined: Sep 03 03 2:54 pm
- Location: Auckland
by inthesands » Sep 09 04 5:22 pm
so how/am can I have public addresses on both the DMZ and the External networks?
If I have a valid Public IP (which I must) on the External interface, how can I have a valid public IP With same network on my DMZ?
Thats what I am trying to understand/ get to work
If I have a valid Public IP (which I must) on the External interface, how can I have a valid public IP With same network on my DMZ?
Thats what I am trying to understand/ get to work
- inthesands
- Posts: 36
- Joined: Sep 07 04 7:42 pm
by adrien » Sep 09 04 5:52 pm
It comes down to subnetting.
If everything is going through a single gateway, then this gateway needs a single external IP.
However, since you have a bunch of IP addresses, there must be a router provided by your ISP in your premises (or is there a card that plugs into your machine for this?).
Basically the router that connects to the external interface of your WinGate machine either needs to be configured to route to your IPs through the single IP of the gateway, OR if that router thinks all those IPs are local, you can use the ARP responder in WinGate to fool the router into sending the packets for the entire subnet to WinGate's MAC address.
WinGate then will route them to the DMZ as required. This is why we added the ARP responder, for the case where you cannot change routing on the local router (i.e. Whoosh here in New Zealand provides a customer premises router, which the customer cannot configure).
So, in our case here, what we would have is the following.
Internet -> Router (IP 210.55.214.97 mask 255.255.255.240).
So this router thinks all our IP addresses are available locally on its customer-side interface. This means when it gets a packet destined for an IP, it does an ARP request for that IP (as opposed to if it thought it would need to route it, it would just forward it to the MAC of the router).
So, our WinGate is configured with external address 210.55.214.98, mask 255.255.255.255. On newer "smarter" OSes, you can't set the netmask to this, so we had to edit the registry to set the network mask and reboot.
On this interface, we set ARP responder to the address 210.55.214.97 with mask 255.255.255.240. This means that for any address the router does a lookup for, WinGate will say "hey that's me". It is effectively like telling the router to route through us, without having to configure the router (which requires access).
On our DMZ interface, we give it a bogus IP address, say 1.2.3.4, mask can be anything. On this adapter in WinGate, we set an ARP responder to 210.55.214.98, MASK 255.255.255.255.
Then on the DMZ machines, we give them addresses in the range 210.55.214.99 - 210.55.214.107 with mask 255.255.255.240, and default gateway 210.55.214.98 (the other interface on WinGate, even though theoretically not available). Since these machines therefore think that 210.55.215.98 is local, they will do an ARP lookup for it, WinGate will respond, and the packets will flow through.
Clear as mud?
This way saves on IP addresses. You could go the "normal" way and assign away all your IPs to all the interfaces, and subnet the range into 2 networks, but due to network masking, this isn't efficient on IP addresses.
Adrien
If everything is going through a single gateway, then this gateway needs a single external IP.
However, since you have a bunch of IP addresses, there must be a router provided by your ISP in your premises (or is there a card that plugs into your machine for this?).
Basically the router that connects to the external interface of your WinGate machine either needs to be configured to route to your IPs through the single IP of the gateway, OR if that router thinks all those IPs are local, you can use the ARP responder in WinGate to fool the router into sending the packets for the entire subnet to WinGate's MAC address.
WinGate then will route them to the DMZ as required. This is why we added the ARP responder, for the case where you cannot change routing on the local router (i.e. Whoosh here in New Zealand provides a customer premises router, which the customer cannot configure).
So, in our case here, what we would have is the following.
Internet -> Router (IP 210.55.214.97 mask 255.255.255.240).
So this router thinks all our IP addresses are available locally on its customer-side interface. This means when it gets a packet destined for an IP, it does an ARP request for that IP (as opposed to if it thought it would need to route it, it would just forward it to the MAC of the router).
So, our WinGate is configured with external address 210.55.214.98, mask 255.255.255.255. On newer "smarter" OSes, you can't set the netmask to this, so we had to edit the registry to set the network mask and reboot.
On this interface, we set ARP responder to the address 210.55.214.97 with mask 255.255.255.240. This means that for any address the router does a lookup for, WinGate will say "hey that's me". It is effectively like telling the router to route through us, without having to configure the router (which requires access).
On our DMZ interface, we give it a bogus IP address, say 1.2.3.4, mask can be anything. On this adapter in WinGate, we set an ARP responder to 210.55.214.98, MASK 255.255.255.255.
Then on the DMZ machines, we give them addresses in the range 210.55.214.99 - 210.55.214.107 with mask 255.255.255.240, and default gateway 210.55.214.98 (the other interface on WinGate, even though theoretically not available). Since these machines therefore think that 210.55.215.98 is local, they will do an ARP lookup for it, WinGate will respond, and the packets will flow through.
Clear as mud?
This way saves on IP addresses. You could go the "normal" way and assign away all your IPs to all the interfaces, and subnet the range into 2 networks, but due to network masking, this isn't efficient on IP addresses.
Adrien
Last edited by adrien on Sep 09 04 8:19 pm, edited 1 time in total.
- adrien
- Qbik Staff
- Posts: 5448
- Joined: Sep 03 03 2:54 pm
- Location: Auckland
by Pascal » Sep 09 04 6:02 pm
Ah, my response via email to you might seem a bit confusing then. I was discussing the bottom end of this connection (Dealing with WinGate to DMZ) while Adrien's just (More accurately, I think) outlined how to get everything to your external interface.
- Pascal
- Qbik Staff
- Posts: 2623
- Joined: Sep 08 03 8:19 pm
- Location: Auckland, New Zealand
by inthesands » Sep 10 04 1:26 pm
Ok,
What Adrien has put down, makes it all a lot clearer.
So how/where do I configure the Wingate ARP responder?
What Adrien has put down, makes it all a lot clearer.
So how/where do I configure the Wingate ARP responder?
- inthesands
- Posts: 36
- Joined: Sep 07 04 7:42 pm
by inthesands » Sep 10 04 1:53 pm
Adrien mention having to edit the register, to let the network mask be set to 255.255.255.255.
What/where do I edit this?
What/where do I edit this?
- inthesands
- Posts: 36
- Joined: Sep 07 04 7:42 pm
by adrien » Sep 10 04 2:36 pm
On 2k or later, the registry key is a GUID under the services key.
i.e. if the adapter GUID is {8DB40446-6D60-4950-84D1-F5B414FB12DF}, then the location is
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\{8DB40446-6D60-4950-84D1-F5B414FB12DF}\Parameters\Tcpip
The values are:
IPAddress
SubnetMask
DefaultGateway
These are all REG_MULTI_SZ, and UNICODE
This means, they need to be double null terminated, since they are a list of strings, and there needs to be a NULL byte between each character. Regedit edits them as binary resources, which is a pain in the neck. Find an adapter that has some values in there, and copy the layout.
OK, so how to find which GUID is for which adapter? You can look through them in this location until you recognise an address, but if the adapter is allocated by DHCP, these values will all be "0.0.0.0"
Otherwise, you can look through the key
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}
This is the network adapters key. Under this, you will see a bunch of GUIDs. Each of these relates to a network adapter (some of which you may not be aware of, since some are hidden by the OS). Under each key there should be a "Connection" sub-key. In there, there is a value called "Name", and this is the name of the adapter. Therfore you can find out the GUID of an adapter.
It's all a bit of a mission I know but we know who to thank for that!
Other ways of getting the TCP/IP parameters you really want into an adapter are if you can control a DHCP server, you can set them in the server, and then set the adapter to use DHCP. The DHCP client will swallow anything you care to feed it, whereas the GUI control for network configuration tries to protect you from yourself and therefore makes a lot of valid configurations unavailable.
There are a couple more steps actually required to get the whole DMZ thing working as well which I forgot to put in the last post - that is the routing configuration on the WinGate machine.
You need to tell the machine that the DMZ subnet is out the DMZ adapter. Since the IP of that adapter is bogus (never used), it will create a bogus route for that subnet, which will mean that WinGate won't know how to get to your DMZ machines.
In the example before, we would create a route as follows
route add -p 210.55.214.97 MASK 255.255.255.240 1.2.3.4
Then it knows that that subnet is available on that interface.
Finally need to tell it how to get to the default gateway out the external adapter.
route add -p 210.55.214.97 MASK 255.255.255.255 210.55.214.98
A word of warning. When we tested this in the lab, we had some problems with the TCP/IP config on the machine after editing the registry. It worked fine, but when we wanted to change the IPs back etc, it wouldn't play ball.
So I am wondering whether a safer option, if you have heaps of spare IPs, would be to actually do the routing approach and subnet. I think the minimum subnet size Windows will allow is 3 IPs, i.e. a mask of 255.255.255.252
If you would like to pursue this option, you would allocate a public IP to the external interface, and the DMZ interface, but use subnet masks to partition the range of addresses you have into those two networks.
Let me know if you would like more info on this option.
I do have plans to write a more definitive DMZ setup guide as well.
i.e. if the adapter GUID is {8DB40446-6D60-4950-84D1-F5B414FB12DF}, then the location is
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\{8DB40446-6D60-4950-84D1-F5B414FB12DF}\Parameters\Tcpip
The values are:
IPAddress
SubnetMask
DefaultGateway
These are all REG_MULTI_SZ, and UNICODE
This means, they need to be double null terminated, since they are a list of strings, and there needs to be a NULL byte between each character. Regedit edits them as binary resources, which is a pain in the neck. Find an adapter that has some values in there, and copy the layout.
OK, so how to find which GUID is for which adapter? You can look through them in this location until you recognise an address, but if the adapter is allocated by DHCP, these values will all be "0.0.0.0"
Otherwise, you can look through the key
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}
This is the network adapters key. Under this, you will see a bunch of GUIDs. Each of these relates to a network adapter (some of which you may not be aware of, since some are hidden by the OS). Under each key there should be a "Connection" sub-key. In there, there is a value called "Name", and this is the name of the adapter. Therfore you can find out the GUID of an adapter.
It's all a bit of a mission I know but we know who to thank for that!
Other ways of getting the TCP/IP parameters you really want into an adapter are if you can control a DHCP server, you can set them in the server, and then set the adapter to use DHCP. The DHCP client will swallow anything you care to feed it, whereas the GUI control for network configuration tries to protect you from yourself and therefore makes a lot of valid configurations unavailable.
There are a couple more steps actually required to get the whole DMZ thing working as well which I forgot to put in the last post - that is the routing configuration on the WinGate machine.
You need to tell the machine that the DMZ subnet is out the DMZ adapter. Since the IP of that adapter is bogus (never used), it will create a bogus route for that subnet, which will mean that WinGate won't know how to get to your DMZ machines.
In the example before, we would create a route as follows
route add -p 210.55.214.97 MASK 255.255.255.240 1.2.3.4
Then it knows that that subnet is available on that interface.
Finally need to tell it how to get to the default gateway out the external adapter.
route add -p 210.55.214.97 MASK 255.255.255.255 210.55.214.98
A word of warning. When we tested this in the lab, we had some problems with the TCP/IP config on the machine after editing the registry. It worked fine, but when we wanted to change the IPs back etc, it wouldn't play ball.
So I am wondering whether a safer option, if you have heaps of spare IPs, would be to actually do the routing approach and subnet. I think the minimum subnet size Windows will allow is 3 IPs, i.e. a mask of 255.255.255.252
If you would like to pursue this option, you would allocate a public IP to the external interface, and the DMZ interface, but use subnet masks to partition the range of addresses you have into those two networks.
Let me know if you would like more info on this option.
I do have plans to write a more definitive DMZ setup guide as well.
- adrien
- Qbik Staff
- Posts: 5448
- Joined: Sep 03 03 2:54 pm
- Location: Auckland
by inthesands » Sep 10 04 3:08 pm
I would definitely prefer the routing approach. I have plenty of spare public IP's, plus I think it's a more robust/cleaner/professional approach, that once we nail it down, others who use Wingate will also be able to implement, and be comfortable to do without hacking the registry.
So more info on the routing option would be appreciated.
So more info on the routing option would be appreciated.
- inthesands
- Posts: 36
- Joined: Sep 07 04 7:42 pm
by adrien » Sep 10 04 9:19 pm
Hi
To fully help, it is probably best if I had some information specific to your installation. If you could post some info to me at adrien at qbik dot com, then I can give you the routes etc you would need to create, IPs and masks etc.
I would need.
1. The IP address of the router that provides your LAN connectivity (probably is currently your WinGate machines default gateway).
2. The subnet you have been allocated
3. The IP addresses you wish to use for the servers, i.e. WinGate, WWW and FTP servers and any others.
Cheers
Adrien
To fully help, it is probably best if I had some information specific to your installation. If you could post some info to me at adrien at qbik dot com, then I can give you the routes etc you would need to create, IPs and masks etc.
I would need.
1. The IP address of the router that provides your LAN connectivity (probably is currently your WinGate machines default gateway).
2. The subnet you have been allocated
3. The IP addresses you wish to use for the servers, i.e. WinGate, WWW and FTP servers and any others.
Cheers
Adrien
- adrien
- Qbik Staff
- Posts: 5448
- Joined: Sep 03 03 2:54 pm
- Location: Auckland
13 posts
• Page 1 of 1
Who is online
Users browsing this forum: No registered users and 2 guests