1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Help me setup 2 public IPs on our firewall

Discussion in 'Networks & Internet Connectivity' started by Over Clocker, 11 May 2010.

  1. Over Clocker

    Man of Honour

    Joined: 17 Oct 2002

    Posts: 9,695

    Location: Retired Don

    Hi guys,

    We have a Sonicwall TZ180 firewall, and 2 public IPs provided by our internet service.

    So far we've been using one public IP, which is the WAN IP on the firewall, and we have some access rules setup for port forwarding.

    We now have a need to run 2 websites on port 443 on 2 different virtual servers, so we need to use the 2nd public IP that we have, but I have no idea how to configure this on the firewall.

    Any help would be great!
     
  2. Over Clocker

    Man of Honour

    Joined: 17 Oct 2002

    Posts: 9,695

    Location: Retired Don

    Just been doing some more reading, will I need to put a switch in between the WAN switch and the Firewall, and plug the server requiring the 2nd public IP directly into in with the public IP as its static IP, with the rest plugged into the firewall?

    Thanks,

    Mal
     
  3. edscdk

    Soldato

    Joined: 17 Jul 2008

    Posts: 7,111

    If I understand right,

    you have a no nat WAN router than connects to a firewall,

    you need to plug the WAN router into a switch,

    then simply plug the firewall into the switch, and the new box...

    you can always user host headers to have several web sites on the same port on the same box.

    (you tell the web server that www.a.com goes to web site 1, and www.b.com goes to web site 2)
     
  4. Over Clocker

    Man of Honour

    Joined: 17 Oct 2002

    Posts: 9,695

    Location: Retired Don

    Thanks for that.

    I was considering host headers, but this is for https port 443 sites, so I don't think that will work easily!

    Cheers,

    Mal
     
  5. edscdk

    Soldato

    Joined: 17 Jul 2008

    Posts: 7,111

    I admit i only took 30s and only half read the article but..

    http://www.microsoft.com/technet/pr...108-b1a7-494d-885d-f8941b07554c.mspx?mfr=true

    You can configure Web sites that use host headers to serve protected content over a Secure Sockets Layer (SSL) connection, that is, a connection that uses https:// instead of http://. To use SSL with host headers, you must obtain and install a wildcard server certificate. After you configure SSL host headers for a Web site, protected content is served only over an https:// connection.
     
  6. #Chri5#

    Soldato

    Joined: 27 Feb 2003

    Posts: 6,995

    Location: Shropshire

    Which version of SonicOS is the TZ running - Standard or Enhanced?

    That makes a big difference in setting up the port foward. Everything can stay behind the SonicWall.
     
  7. Over Clocker

    Man of Honour

    Joined: 17 Oct 2002

    Posts: 9,695

    Location: Retired Don

    Hi, it is standard:

    SonicOS Standard 3.9.0.1-7s

    Cheers,

    Mal
     
  8. #Chri5#

    Soldato

    Joined: 27 Feb 2003

    Posts: 6,995

    Location: Shropshire

    One-to-One NAT is then. From the web GUI:

    Network > One-to-One NAT
    Enable it and add your new server with the relevant internal and public IPs (public will be the second one you have off your ISP). Note there's no need to "declare" this IP on the interface section.

    Then in Firewall > Access Rules
    Create a new rule to allow HTTPS from * (or just WAN) through to the LAN with the private IP of your new server

    There's some screen shots based on SonicOS Standard 2.0 on page 6 onwards here (PDF).

    HTH,
    Chris.
     
  9. Over Clocker

    Man of Honour

    Joined: 17 Oct 2002

    Posts: 9,695

    Location: Retired Don

    Hello Chris,

    Thank you very much for the pointers. I will try these now!
     
  10. Over Clocker

    Man of Honour

    Joined: 17 Oct 2002

    Posts: 9,695

    Location: Retired Don

    One question - If I create a new rule for HTTPS from * to 192.168.1.11, will this not conflict to the existing HTTPS rule I have from * to 192.168.1.13?
     
  11. #Chri5#

    Soldato

    Joined: 27 Feb 2003

    Posts: 6,995

    Location: Shropshire

    Not a problem, the NAT engine in the firewall will look after the translation and direct traffic accordingly.

    As an example...

    Say your internal servers with the HTTPS site were 192.168.10.11 and .12. You could have two rules to allow HTTPS from the WAN to each IP. Or, you can have a single rule to allow HTTPS with the destination as the range 192.168.10.11-12.

    I've found an extra bit of documentation:

     
    Last edited: 12 May 2010
  12. Over Clocker

    Man of Honour

    Joined: 17 Oct 2002

    Posts: 9,695

    Location: Retired Don

    Hi Chris,

    Thank you for that. Now have them both working alongside each other.

    Thanks!!
     
  13. #Chri5#

    Soldato

    Joined: 27 Feb 2003

    Posts: 6,995

    Location: Shropshire

    Excellent - no worries :cool: