Gateway between 2 networks

Options
GMS98
GMS98 Posts: 7
Friend Collector First Comment

As a beginner in network configuration, I would like to isolate one or two machines (Linux/Windows) from my production network.

To do this, I connect them to my USG60 on the DMZ network (port 5, 192.168.3.1 255.255.255.0). My production machines are on port 3 (192.168.10.4, 255.255.255.0).

The idea would be to create a gateway between the two networks, opening only port 2222 to transfer files via SFTP. On the production side, a NAS is used as SFTP server. This service is activated and works correctly (internally on the production network).

I can't figure out which menu to use (NAT, service redirection?) and how to set this up. Communication would be initiated from machines in the DMZ. Either by pushing files to the NAS or by retrieving them.

Thanks for your advice and recommendations!

Accepted Solution

  • PeterUK
    PeterUK Posts: 2,863  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited January 16 Answer ✓
    Options

    All you need is a policy control rule from DMZ to LAN for the given port 2222

    Given this is SFTP you might need more ports like passive port range

«1

All Replies

  • PeterUK
    PeterUK Posts: 2,863  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited January 16 Answer ✓
    Options

    All you need is a policy control rule from DMZ to LAN for the given port 2222

    Given this is SFTP you might need more ports like passive port range

  • cackleunderage
    Options

    @PeterUK run 3
    Setting Up a Network:

    Make that the DMZ machines are connected to a different network, such as 192.168.3.0/24.
    Configure the USG60 to forward traffic from the DMZ network (port 5) to the production network (port 3).
    Rules for Firewalls:

    Establish firewall rules on the USG60 to manage network traffic.
    Allow SFTP communication on port 2222 from the DMZ to the production network.
    NAT/Port Forwarding:

    Configure port forwarding/NAT to redirect external traffic on port 2222 to the internal IP of the NAS on the production network if you wish to have external access to the NAS.

  • PeterUK
    PeterUK Posts: 2,863  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    You don't need a NAT rule if devices have gateway set

  • GMS98
    GMS98 Posts: 7
    Friend Collector First Comment
    Options

    Thank you for your reply.

    I went to Configuration > Security Rule > Control Policy and added a new rule.

    From: DMZ
    TO: LAN1
    Source : Any
    Destination: LAN1_SUBNET
    Service:SFTP
    User:anay
    Schedule:none
    Action:allow
    Corresponding traffic log:log
    UTM
    Anti-virus:EZMODE_AV

    The SFTP connection does not work. I have a timeout message. Cannot connect to site.

    I have indicated the internal IP of the NAS in the connection address and the correct port. In the production network, the SFTP connection goes through without a problem (service, user, rights are all functional).

    This is an ASUSTOR NAS. Perhaps I need to activate the EZ-Connect service?
    Note that the USG60 log doesn't display any messages related to my connection attempts.

    Do you have any idea what the problem is?

  • PeterUK
    PeterUK Posts: 2,863  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited January 16
    Options

    Try with Service any and not with Anti-virus

    The NAS has a gateway set for LAN1 yes? and is on LAN1?

  • GMS98
    GMS98 Posts: 7
    Friend Collector First Comment
    Options

    That's progress. The problem comes from the SFTP limitation for the service. When I switch to any, the connection is established. Normally with SFTP you only need one port.

    What do you recommend? Add an extra policy control rule? Which one?

  • PeterUK
    PeterUK Posts: 2,863  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited January 16
    Options

    Your NAS will have passive ports range you need to allow or if you can do a active connection type then the NAS can make the connection data from LAN to DMZ however ports it uses will be random.


  • GMS98
    GMS98 Posts: 7
    Friend Collector First Comment
    Options

    So obviously the SFTP transfer solution isn't ideal because I have to leave all the ports open (no specific settings for the NAS SFTP server). And it would therefore be possible to mount a share via SMB and propagate a virus in the production network.
    In fact, I don't really see how I can achieve this separation between the two networks while still having a controlled connection link.

  • PeterUK
    PeterUK Posts: 2,863  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Does your NAS say what  passive ports are?

  • GMS98
    GMS98 Posts: 7
    Friend Collector First Comment
    Options

    No, there is no information on this subject. What I've been able to get from the ASUS forum suggests that only one port is required. That's really strange. I'm going to try the SFTP connection over SSH again. The first test was inconclusive.

Security Highlight