February 26, 2009 at 7:51 am #41502
I have been using ZS for quite some time and I am impressed with its functionality and stability.
Most of the time I configure security appliances like Cisco PIXes or the newer ASAs and I do this for high security multinational companies.
One of the very useful advantages of these devices is the ability to do DNAT and PNAT routing. That is, lets assume that I have a public allocation of say 5 IP addresses (188.8.131.52-6/255.255.255.248) + one gateway IP (184.108.40.206) and we call this group “outside” (cisco common term). We may use one ethernet port for the outside, i.e., ETH00. The default gateway or “nexthop” is our 220.127.116.11 address here.
We further have another ethernet port ETH01 and give it an address of say “10.22.33.1/255.255.255.0” and we call this port the DMZ. This is our subnet’s gateway for everything on this sub-network (10.22.33.x).
I could DNAT traffic arriving on the outside (ETH00) address with the Destination Network Address (18.104.22.168) and Translate it to say 10.22.33.100. Likewise, 22.214.171.124 –> 10.22.33.45 where the [xx..x] used above is the port.
ZeroShell can do this right now (using the gui) but only for all traffic arriving on ETH00 – the gui does not permit one to extend the rules for IPTABLES to include the destination address. If it did, we could now use all five outside addresses and route requests to various machines inside based on BOTH the public address AND the port. This simple extension would make ZeroShell a great choice for a SMB who cannot afford a Cisco ASA55xx which lists starting at US $2000+.
While this has little interest to the home user or small business operator with only one external IP address. But, the phone and cable companies do push “business” class services where the IP address is static AND by definition, more than one address is allocated to the customer.
I have modifed IPTABLES to do this on ZeroShell, but it would be VERY desirable to do this in the gui.
P.S., Later, the addition of SSL acceleration would be a HUGE addition. The actual routing and translation in ZS consumes a fraction of the processing power in most platforms, using some of the remaining capacity for SSL would be a nice future feature.March 1, 2009 at 11:51 pm #47692
My apologies Fluvio, I now see that we do indeed look at the source of the incoming requests. Good job, you thought ahead indeed.
BillApril 7, 2009 at 2:31 am #47693
Could you give more details on how you configured ZeroShell to do this? I’ve got a very similar situation trying to replace an existing router/firewall that uses this feature.
You must be logged in to reply to this topic.