Description:
Operating LTA on a LANCOM router (LCOS) requires the use of two gateways; one as a dedicated LTA gateway and one to provide Internet access. This is because the automatically created firewall rules for LTA access use the routing tag of the accessible network (usually the INTRANET with routing tag 1). However, this makes it impossible to communicate with other networks because they use other routing tags.
To enable communication in other networks, the automatically created firewall rules must be set with the correct routing tags. This has to be implemented by an Add-in script.
This article describes how to use an Add-in to enable an LTA user to communicate with other networks and to allow the same gateway to be used for both Internet and LTA access.
LANCOM R&S®Unified Firewalls can be used as Internet and LTA gateways without further configuration, as they do not support routing tags.
A separate firewall rule is created for each network and each LTA user. For an LTA user to communicate with any other networks, the rules for those other networks must all be adjusted accordingly. Consequently the configuration can quickly become very complex! The procedure described below is therefore intended for smaller scenarios.
Requirements:
- Access to the LMC including your own project (subject to charge)
- LANCOM router as the Internet and LTA gateway
- LCOS as of version 10.80 Rel (download latest version)
- Configured LTA scenario
- Any web browser for accessing the LMC
Scenario:
In an LTA scenario, the following networks are configured:
- INTRANET: Network address 10.0.0.0/8, VLAN untagged, routing tag 1
- Intranet2: Network address 192.168.10.0/24, VLAN 10, Routing tag 10, Name of the LTA connection target NETWORK10
- Intranet3: Network address 192.168.20.0/24, VLAN 20, Routing tag 20, Name of the LTA connection target NETWORK20
There is an LTA access account with the name LTA-USER. Since the INTRANET is the accessible network, the LTA-USER is already able to communicate with this network. However, communication with the Intranet 2 and Intranet 3 networks is not possible due to the different routing tags.
By adjusting the routing tags in the firewall rules, the LTA-USER will be able to communicate with all networks.
Procedure
1) Importing the Add-in:
1.1) Download the following add-in.
For further information about this Add-in, see our add-ins manual:
1.2) In the LMC, go to the Add-ins menu and click Import.
1.3) Click Select file and then select the Add-in.
1.4) Select the Add-in FirewallRule and then click Import.
1.5) Confirm the message by clicking Close.
2) Reading-out the network information:
If necessary, repeat this step for additional LTA users.
2.1) In the LMC, go to the Devices menu and click the Name of the LTA gateway to access the detailed configuration.
2.2) Switch to the tab Detail configuration and click on Rollout configuration (preview) to display the configuration components automatically created by the LMC.
2.3) In the Detail configuration, go to the menu Firewall/QoS → IPv4 Rules → Rule table.
2.4) Click on the Firewall rule of the second network (in this example Intranet2) to view the parameters of the rule.
The name of the firewall rule is saved in the format LTA-<Name of the LTA connection target>. This results in Intranet2 being given the name LTA-NETWORK10 and Intranet3 getting the name LTA-NETWORK20 (also see the scenario description).
2.5) Copy the values of the following parameters into a text file.
- Name of this rule
- Protocols
- Source
- Destination
- Actions
- Source tag
2.6) Click the Firewall rule of the third network (in this example Intranet3) to view the parameters of the rule.
The name of the firewall rule is saved in the format LTA-<Name of the LTA connection target>. This results in Intranet2 being given the name LTA-NETWORK10 and Intranet3 getting the name LTA-NETWORK20 (also see the scenario description).
2.7) Copy the values of the following parameters into a text file:
- Name of this rule
- Protocols
- Source
- Destination
- Actions
- Source tag
3) Customizing and assigning the Add-in:
If necessary, create additional firewall rules for additional LTA users.
3.1) In the LMC, go to the menu Add-ins and click the Add-in imported in Step 1 to open it in the Add-in Editor.
3.2) Enter the commands to create the firewall rules and click Save:
The command to create a firewall rule is entered in the following format:
addFirewallRule("<Name of the firewall rule>", "<Protocol>", "<Source>", "<Destination>", "<Action>", "<Source tag>", "<Routing tag>");
- Firewall rule for the network Intranet2:
- Enter the values copied in step 2.5 into the command. The routing tag to use is the value specified in the scenario description (in this example the tag 10).
- The command to create the firewall rule for the Intranet2 is therefore as follows: addFirewallRule("LTA-NETWORK10", "ANY", "LTA-USER", "ANY LO^NETWORK10_", "ACCEPT", "1", "10");
- Enter the values copied in step 2.5 into the command. The routing tag to use is the value specified in the scenario description (in this example the tag 10).
- Firewall rule for the network Intranet3:
- Enter the values copied in step 2.7 into the command. The routing tag to use is the value specified in the scenario description (in this example the tag 20).
- The command to create the firewall rule for the intranet3 is therefore as follows: addFirewallRule("LTA-NETWORK20", "ANY", "LTA-USER", "ANY LO^NETWORK20_", "ACCEPT", "1", "20");
- Enter the values copied in step 2.7 into the command. The routing tag to use is the value specified in the scenario description (in this example the tag 20).
- The individual parameters must be enclosed in quotation marks (") because the LMC requires this as a string.
- Furthermore, the individual parameters must be separated by a comma (,).
- Each command must be separated by a semicolon (;).
3.3) In the LMC, go to the Add-ins menu and click Allocation.
3.4) Select a network that is assigned to the LTA gateway (in this example INTRANET) and, under Apply Add-ins, select the add-in FirewallRule. Then click Apply.
3.5) Click Save to complete the assignment.
Then check the rollout configuration in the two firewall rules (see Step 2) to see whether the Add-in set the parameters correctly.
4) Roll-out the configurations to the router:
4.1) Go to the Devices menu in the LMC and, for the LTA gateway, click on Outdated under Configuration to start the rollout process.
4.2) Confirm the prompt by clicking on Roll out.
4.3) This concludes the configuration of the scenario. The LTA user can now communicate with all networks.