Used for giving wired devices (such as femtocells) access to the internet without access to local devices.
Following is rules required assuming subnet desired is 192.168.71.1/24
.
firewall { | |
name EXT_IN { | |
default-action accept | |
description "packets from ext to intranet" | |
rule 3006 { | |
action drop | |
description "drop EXT to LAN traffic" | |
destination { | |
group { | |
network-group corporate_network | |
} | |
} | |
} | |
rule 3007 { | |
action drop | |
description "drop EXT to GUEST traffic" | |
destination { | |
group { | |
network-group guest_network | |
} | |
} | |
} | |
rule 3008 { | |
action drop | |
description "drop EXT to REMOTE USER traffic" | |
destination { | |
group { | |
network-group remote_user_vpn_network | |
} | |
} | |
} | |
} | |
name EXT_LOCAL { | |
default-action drop | |
description "packets from ext to gateway" | |
rule 3001 { | |
action accept | |
description "allow DNS" | |
destination { | |
port 53 | |
} | |
protocol udp | |
} | |
rule 3002 { | |
action accept | |
description "allow ICMP" | |
protocol icmp | |
} | |
rule 3003 { | |
action accept | |
description "allow established/related sessions" | |
state { | |
established enable | |
invalid disable | |
new disable | |
related enable | |
} | |
} | |
rule 3004 { | |
action drop | |
description "drop invalid state" | |
state { | |
established disable | |
invalid enable | |
new disable | |
related disable | |
} | |
} | |
} | |
name EXT_OUT { | |
default-action accept | |
description "packets forward to EXT" | |
} | |
} | |
interfaces { | |
ethernet eth2 { | |
address 192.168.72.1/24 | |
firewall { | |
in { | |
name EXT_IN | |
} | |
local { | |
name EXT_LOCAL | |
} | |
out { | |
name EXT_OUT | |
} | |
} | |
} | |
} | |
service { | |
dhcp-server { | |
shared-network-name EXT_DHCP { | |
authoritative enable | |
subnet 192.168.71.1/24 { | |
default-router 192.168.71.1 | |
dns-server 192.168.71.1 | |
lease 86400 | |
start 192.168.71.100 { | |
stop 192.168.71.199 | |
} | |
} | |
} | |
nat { | |
rule 6002 { | |
description "MASQ EXT_network to WAN" | |
log disable | |
outbound-interface pppoe0 | |
protocol all | |
source { | |
group { | |
network-group EXT_network | |
} | |
} | |
type masquerade | |
} | |
} | |
} |