The Blocked Address List on the Gateway overrides any Allowed Addresses that fall under a existing Blocked Address List IP or Range. This is because the Blocked Address List is loaded into the firewall settings before the Allowed Address List.
Note: Currently this does not affect the 4.0 Version of the Management Gateway, only the 4.2 Version of the Management Gateway.
If you have many machines located across a variety of 192.168.x.0 subnets and 192.168.0.0/16 is Blocked in the LDMG Firewall then NO address in the Allowed section that starts with 192.168. will work. If you drop the 192.168.0.0/16 from the Blocked list everything works.
This applies to ALL IP addresses or ranges in the Blocked Address List especially private IP 10-net, 172-net, and 192-net ranges, not just the 192.168 range.
What if you are trying to be more security conscious and want to lockdown internal access to the gateway from all the other internal machines.
- External Firewall NAT's a public IP address to the Internal Address of the Management Gateway
- The External Firewall's Internal IP address is 192.168.7.1
- The Management Gateway's Internal IP address is 192.168.7.21
- A Network sniffer show that traffic goes between those 2 destinations without other hops.
- The DMZ is where these machines are contained exist within the 192.168.7.x subnet.
If the firewall has 192.168.0.0/16 blocked, then no traffic gets to gateway, even when the specific internal IP addresses and ranges (192.168.7.21, 192.168.7.1, 192.168.7.0/24) are inserted into the Allowed area. No External traffic can access the gateway web pages unless their Public IP is specified in the Allowed address listing.
If the 192.168.0.0/16 is dropped then everything works correctly. If you do not want to drop the whole range, and only want the 192.168.7.0 subnet range to have access, then you have to find a work around. One work around that has been tested is to block only the specific areas of the subnetting around 192.168.7 in the blocked area.
Such as removing the 192.168.0.0/16 and adding these entries:
This is SPECIFIC to the 192.168.7.0/24 range and will not work on other ranges.
For other ranges to work you have to do some subnet calculations
- Remove the blocked 192.168.0.0/16 range completely.
- Replace the blocked 192.168.0.0/16 range to work around the section.
Such as this list not blocking the 192.168.7.x range: