Managment Gateway Firewall is blocking IP Addreses listed in the Allowed IP's area!

Version 5

    Description

    The Blocked Address List on the Gateway overrides any Allowed Addresses that fall under a existing Blocked Address List IP or Range.  This is because the Blocked Address List is loaded into the firewall settings before the Allowed Address List.

    Note:  Currently this does not affect the 4.0 Version of the Management Gateway, only the 4.2 Version of the Management Gateway.

    For Example:

    If you have many machines located across a variety of 192.168.x.0 subnets and 192.168.0.0/16 is Blocked in the LDMG Firewall then NO address in the Allowed section that starts with 192.168. will work.  If you drop the 192.168.0.0/16 from the Blocked list everything works.

     

    This applies to ALL IP addresses or ranges in the Blocked Address List especially private IP 10-net, 172-net, and 192-net ranges, not just the 192.168 range.

     

    The Problem:

    What if you are trying to be more security conscious and want to lockdown internal access to the gateway from all the other internal machines.

     

    For Instance:
      • External Firewall NAT's a public IP address to the Internal Address of the Management Gateway
      • The External Firewall's Internal IP address is 192.168.7.1
      • The Management Gateway's Internal IP address is 192.168.7.21
      • A Network sniffer show that traffic goes between those 2 destinations without other hops.
      • The DMZ is where these machines are contained exist within the 192.168.7.x subnet.

     

    If the firewall has 192.168.0.0/16 blocked, then no traffic gets to gateway, even when the specific internal IP addresses and ranges (192.168.7.21, 192.168.7.1, 192.168.7.0/24) are inserted into the Allowed area. No External traffic can access the gateway web pages unless their Public IP is specified in the Allowed address listing.

     

    If the 192.168.0.0/16 is dropped then everything works correctly.  If you do not want to drop the whole range, and only want the 192.168.7.0 subnet range to have access, then you have to find a work around.  One work around that has been tested is to block only the specific areas of the subnetting around 192.168.7 in the blocked area.

     

    Such as removing the 192.168.0.0/16 and adding these entries:

     

    192.168.128.0/17

    192.168.64.0/18

    192.168.32.0/19

    192.168.16.0/20

    192.168.8.0/21

    192.168.0.0/22

    192.168.4.0/23

    192.168.6.0/24

     

    This is SPECIFIC to the 192.168.7.0/24 range and will not work on other ranges.

    For other ranges to work you have to do some subnet calculations 

     

    Resolution

     

    1. Remove the blocked 192.168.0.0/16 range completely.
    2. Replace the blocked 192.168.0.0/16 range to work around the section.

     

    Such as this list not blocking the 192.168.7.x range:

    192.168.128.0/17

    192.168.64.0/18

    192.168.32.0/19

    192.168.16.0/20

    192.168.8.0/21

    192.168.0.0/22

    192.168.4.0/23

    192.168.6.0/24