Previous Topic

Next Topic

Connections via Firewall with Static NAT

If a firewall supporting NAT protects the border of the local network, any connection with the outside network is realized through this firewall. ViPNet network nodes can also work through such a device.

If you need to locate several ViPNet clients in a network, you can use a coordinator with one or more network adapters. One of these adapters needs to use the With static NAT firewall type. In addition, the default gateway of the system the coordinator is installed on should use the firewall as the gateway.

After the installation of all clients (assuming they were registered on this coordinator in ViPNet Manager), you will find their Firewall type automatically set to (this) ViPNet coordinator. This ensures all client IP packets are routed through the coordinator with the coordinator's IP address.

You only need to use the With static NAT firewall type on clients if there are no coordinators in the local network or clients cannot work through a ViPNet coordinator. If ViPNet Coordinator is installed in the internal network, you should work through this coordinator (ie. select ViPNet coordinator as the firewall type) and settings through the firewall (With static NAT) should be done on the coordinator.

If clients in the local network cannot work through a ViPNet Coordinator (see diagram on Client Connection via Firewall with Static NAT), you should use the With static NAT firewall type for these clients. Note: The firewall or NAT device you use must be assigned by default as a gateway for the operation systems of the workstations where clients are installed.

Attention! To exchange encrypted traffic, each client must have its own UDP port number that differs from other clients. This is required to avoid port number conflicts.

You need to set up static rules on the firewall or NAT device to ensure it redirects encrypted ViPNet traffic correctly.

If you're using a coordinator, you need to:

  1. Pass outbound UDP packets with the address and port used by the coordinator (by default, the port is 55777, however, it can be changed).
  2. Redirect inbound UDP packets to the coordinator address.

If you're not using a coordinator, you need to:

  1. Pass outbound UDP packets with the addresses and ports of each client sender.
  2. Redirect inbound UDP packets to local client addresses, selecting clients according to UDP port number specified in the packet.

To configure a client's connection via a firewall (NAT) where static rules of address translation are possible:

  1. Ensure there is a tick in the Use Firewall check box.
  2. Select With static NAT from the Firewall type drop-down box.
  3. If necessary, change the port number in the UDP port text box. By default, it is 55777. Changing the UDP port is necessary if several ViPNet hosts work through one firewall (or other NAT device). In this case, such hosts must have different port numbers.

  4. To fix an external IP address for accessing this client through the firewall, click the Fix the external IP address for access through the Firewall check box and select the IP address from the drop-down list.

    If an IP address is not specified, the IP address is registered by the external parameters of the IP packet. If an IP address is specified, external network nodes will send packets for this client to the specified address, regardless of the address substituted in the external parameters of the packet.

    We recommend you select this option only if the firewall has several external addresses and you need to route incoming packets through a specific address, regardless of the firewall address from which a packet left.

  5. Click the Apply to save your settings.

To configure a coordinator's connection via a firewall (NAT) where static rules of address translation are possible:

  1. Ensure there is a tick in the Use Firewall check box.
  2. Select With static NAT from the Firewall type drop-down box.

  3. If necessary, change the port number in the UDP access port text box. By default, it is 55777.
  4. Select the network adapter located on the same side as the firewall or NAT device from the Network interface connected to Firewall drop-down list box.
  5. To fix an external IP address for accessing this client through the firewall, click the Fix external IP address for access through Firewall check box and select the IP address from the drop-down list.
  6. Click the Apply to save your settings.

Back to top

© 2007 Infotecs