Specifications
EthernetDevice: 0:G2 1:<empty>
AutoSwitchRoute: No
AutoInterfaceNetworkRoute: Yes
AutoDefaultGatewayRoute: Yes
ReceiveMulticastTraffic: Auto
MemberOfRoutingTable: All
Comments: <empty>
Setting the default gateway on the interface has the additional effect that cOS Core
automatically creates a route in the default main routing table that has the network all-nets
routed on the interface. This means that we do not need to explicitly create this route.
Even though an all-nets route is automatically added, no traffic can flow without the addition of
an IP rule which explicitly allows traffic to flow. Let us assume we want to allow web browsing
from the protected network G3_net on the interface G3. A simple rule to do this would have the
rule's Action property set to the value Allow and is defined with the following command:
The IP rule set main always exists by default and is a top level CLI context. Add an IP rule called
lan_to_wan to allow the traffic through to the public Internet:
Device:/> add IPRule name=lan_to_wan
Action=Allow
SourceInterface=G3
SourceNetwork=InterfaceAddresses/G3_net
DestinationInterface=G2
DestinationNetwork=all-nets
Service=http-all
This IP rule would be correct if the internal network hosts have public IPv4 addresses but in most
scenarios this will not be true and internal hosts will have private IPv4 addresses. In that case, we
must use NAT to send out traffic so that the apparent source IP address is the IP of the interface
connected to the ISP. To do this we simply change the Action property in the above command
from a value of Allow to a value of NAT:
Device:/main> add IPRule name=lan_to_wan
Action=NAT
SourceInterface=G3
SourceNetwork=InterfaceAddresses/G3_net
DestinationInterface=G2
DestinationNetwork=all-nets
Service=http-all
The service used in the IP rule is http-all which will allow most web browsing but does not
include the DNS protocol to resolve URLs into IP addresses. To solve this problem, a custom
service could be used in the above rule which combines http-all with the dns-all service.
However, the recommended method which provides the most clarity to a configuration is to
create a separate IP rule for DNS:
Device:/main> add IPRule name=lan_to_wan_dns
Action=NAT
SourceInterface=G3
SourceNetwork=InterfaceAddresses/G3_net
DestinationInterface=G2
DestinationNetwork=all-nets
Service=dns-all
It is recommended that at least one DNS server is also defined in cOS Core. This DSN server or
servers (a maximum of three can be configured) will be used when cOS Core itself needs to
resolve URLs which will be the case when a URL is specified in a configuration instead of an IP
address. If we assume an IP address object called dns1_address has already been defined for the
first DNS server, the command to specify the first DNS server is:
Chapter 4: cOS Core Configuration
55