Specifications

ManualsBrandsClavister ManualsComputer equipmentSG3200 Series

EthernetDevice: 0:ge2 1:<empty>

AutoSwitchRoute: No

AutoInterfaceNetworkRoute: Yes

AutoDefaultGatewayRoute: Yes

ReceiveMulticastTraffic: Auto

MemberOfRoutingTable: All

Comments: <empty>

Setting the default gateway on the interface has the additional effect that CorePlus automatically

creates a route in the default main routing table that has the network all-nets routed on the

interface. This means that we do not need to explicitly create this route.

Even though an all-nets route is automatically added, no traffic can flow without the addition of

an IP rule which explicitly allows traffic to flow. Let us assume we want to allow web browsing

from the protected network ge3_net on the interface ge3. A simple rule to do this would have an

Action of Allow and would be defined with the following commands.

Firstly, we must change the current CLI context to be the default IPRuleSet called main using the

command:

Device:/> cc IPRuleSet main

Additional IP rule sets can be defined which is why we do this, with the rule set main existing by

default. Notice that the CLI prompt changes to reflect the current context:

Device:/main>

Now add an IP rule called lan_to_wan to allow the traffic through to the public Internet:

Device:/main> add IPRule name=lan_to_wan

Action=Allow SourceInterface=ge3

SourceNetwork=InterfaceAddresses/ge3_net

DestinationInterface=ge2

DestinationNetwork=all-nets

Service=http-all

This IP rule would be correct if the internal network hosts have public IP addresses but in most

scenarios this will not be true and internal hosts will have private IP addresses. In that case, we

must use NAT to send out traffic so that the apparent source IP address is the IP of the interface

connected to the ISP. To do this we simply change the Action of the above command from Allow

to NAT:

Device:/main> add IPRule name=lan_to_wan

Action=NAT SourceInterface=ge3

SourceNetwork=InterfaceAddresses/ge3_net

DestinationInterface=ge2

DestinationNetwork=all-nets

Service=http-all

The service used in the IP rule is http-all which will allow most web browsing but does not

include the DNS protocol to resolve URLs into IP addresses. To solve this problem, a custom

service could be used in the above rule which combines http-all with the dns-all service.

However, the recommended method which provides the most clarity to a configuration is to

create a separate IP rule for DNS:

Device:/main> add IPRule name=lan_to_wan_dns

Action=NAT SourceInterface=ge3

SourceNetwork=InterfaceAddresses/ge3_net

DestinationInterface=ge2

DestinationNetwork=all-nets

Service=dns-all

Chapter 3: CorePlus Configuration