How to: Allow internet access (use integrated NAT) with manual redirection |
In the some cases NAT via TCP/IP stack does not works because other Firewall, Packets filter or NAT software installed on the same machine. This other software can drop NAT-ed by NetCom packets.
In this case possible to make NAT manually/directly (not via Windows TCP/IP stack) - NetCom does not send packets to stack. These packets redirected to NIC directly and not visible to stack, like you can see in diagram:
For example you'r network topology and configuration equal to represented on the next diagram:
• | Network: 192.168.0.0 |
• | Subnet mask: 255.255.255.0 |
• | Server internal address: 192.168.0.1 |
• | Server external address: 207.46.130.108 |
• | Server gateway address: 207.46.130.107 |
If you want to allow access to the Intenet for workstations with addresses 192.168.0.12 and 192.168.0.14, do the following:
1. ALLOW ALL
Create rule to allow all network traffic from all to all (it must be always last item in rules list):
Packet action equal to Allow
2. DENY EXTERNAL
Create rule with denied access for all from internal to external network (it must be always pre-last item in rules list):
Packet action equal to Deny
Protocols equal to Any IP
Source IP NOT in range 192.168.0.0 - 192.168.0.255
Destination IP in range 192.168.0.0 - 192.168.0.255
3. ALLOW BROADCASTS
Create rule with allowed IP broadcasts (it must be always first item in rules list):
Packet action equal to Allow
Protocols equal to Any IP
Destination IP equal to 255.255.255.255
4. 192.168.0.12
Create rule with allowed access for 192.168.0.12 from internal to external network:
Protocols equal to Any IP
Source IP equal to 192.168.0.12
Destination IP NOT in range 192.168.0.0 - 192.168.0.255
Packet action equal to Allow
Add data to NAT table enabled
Replace source MAC address with MAC address of you'r external inteface
Replace destination MAC address with MAC address of you'r gateway
(Note: you can detect these MAC addresses with "arp -a" and "route print" windows commands)
Replace source IP with you'r external IP (207.46.130.108)
Redirect to external interface
5. 192.168.0.14
Create rule with allowed access for 192.168.0.14 from internal to external network:
Protocols equal to Any IP
Source IP equal to 192.168.0.14
Destination IP NOT in range 192.168.0.0 - 192.168.0.255
Packet action equal to Allow
Add data to NAT table enabled
Replace source MAC address with MAC address of you'r external inteface
Replace destination MAC address with MAC address of you'r gateway
(Note: you can detect these MAC addresses with "arp -a" and "route print" windows commands)
Replace source IP with you'r external IP (207.46.130.108)
Redirect to external interface
6. CHANGE RULES ORDER
You must change order of rules to this:
1. ALLOW BROADCASTS - needed for normal network work;
2. 192.168.0.12 - allow access to Internet;
3. 192.168.0.14 - allow access to Internet;
4. DENY EXTERNAL - deny other external traffic;
5. ALLOW ALL - needed for normal work of Internet connection and local network.
7. ENABLE FILTERING
Select both adapters for filtering (internal and external). |
At this moment filtering started. |
That's all... |
NOTE: |
On client computers address of DNS-server must be defined! |