4.9. Setup - Publishing Resources

Access from External Network without NAT


Access from LAN to External Network without NAT

If necessary (as a rule, when SafeUTM is located inside a LAN, and not on the border with the Internet), it is possible to organize direct access to some resources of networks external to SafeUTM without using NAT.

For example, let's analyze the firewall configuration for non-NAT access to IP address: 10.0.0.1 (in general, it can also be a network or a range of IP addresses).

  1. Turn off the parameter Automatic local SNAT in Traffic Rules -> Firewall.
  2. In the firewall, in the SNAT table, create a rule with the action Don't use SNAT for this destination IP address.

    1. Access from External Network without NAT.png

  3. With the next rule, create SNAT rules for your local network (so that other hosts work via NAT).

    2. Access from External Network without NAT.png

The final firewall rules look like this:
3. Access from External Network without NAT.png

On LAN devices, SafeUTM must be used as the main gateway, or the necessary route to external IP addresses through SafeUTM must be prescribed. Also, LAN devices must be authorized on UTM. On devices from an external network (in relation to SafeUTM), SafeUTM must also be used as the main gateway, or there must be a route to the local network via SafeUTM.

Publishing Web Applications (Reverse Proxy)

Publication of web servers is possible through a reverse proxy server.

Setting up Public IP Address on Computer in LAN

Use portmapping to forward their entire range from 0 to 65535 to get the effect of presence of a local server on an external IP address.

Portmapping (Port Forwarding, DNAT)

It is often necessary to configure the server so that it provides access to a network service running on a network device in LAN with a private (gray) IP address, that is, publish the service (or network service) on the Internet.

Publishing a service available in LAN works by broadcasting (forwarding) any unused network port on the external (public) IP address of the SafeUTM server to the port of the corresponding service running on a network device in LAN.

In this case, all requests from external networks to the public address of the UTM server on the broadcast port will be redirected to the published port of the service running on a network device in LAN. This technology is also called DNAT, portmapper, and port forwarding.

The technical implementation consists in creating a rule in the DNAT table of the SafeUTM firewall indicating the addresses of the server, published machine, and network port, from which and to which network requests will be broadcast from the outside.

It is not recommended to use port forwarding for publishing web and mail servers (ports 80, 443). To publish them, use a reverse proxy server. This way, your servers will be better protected from attacks from the Internet.

Creating DNAT rules in the SafeUTM firewall

Let’s consider a specific example in which:

To configure the broadcasting of requests to this service from the outside via the SafeUTM server to a device in LAN, go to SafeUTM web interface section Traffic Rules -> Firewall -> DNAT (port forwarding) and create a port broadcasting rule (DNAT) by clicking on (+) in the upper right corner of the screen.

Based on the initial task, the rule will look like this in the screenshot below:
1. Portmapping (Port Forwarding, DNAT).png

After saving the created rule, its final appearance in the table will look like this:
2. Portmapping (Port Forwarding, DNAT).png

Firewall settings are applied immediately when creating a rule.

Similarly, you can forward a range of ports. To do this, in the Destination ports field specify the desired range (pre-create the appropriate Object, for example, 10000-20000), and in Forward to field specify the port range 10000-20000.
3. Portmapping (Port Forwarding, DNAT).png

Common mistakes
Recommendations
Troubleshooting