I'm trying to route public IP traffic to one of our 5 static IPs thru my Comcast CISCO DPC3939B gateway and then thru my Windows Server 2012 using Firewall With Advanced Security to a LAN IP manufacturing device. Accessing the CISCO gateway via IP 10.1.10.1, I have options to configure port forwarding, NAT and static routing, but I frankly don't know which is the most secure or efficient, and so far I've not been successful (small biz guy pretending to do IT).
Here is my current setup. I'll be grateful for any guidance.
Bridge Mode: Disabled
LAN DHCP: Disabled
LAN IP: 10.1.10.1
Firewall IPv4 Options: Disabled Firewall for True Static IP Subnet Only and Disabled Gateway Smart Packet Detection
Firewall IPv4 Security Level: Medium
Port Forwarding: Enabled, but no custom services created yet
NAT: Disable All
Static Routing: (blank)
Windows Server 2012
Internal NIC IP: 192.168.16.250
Internal NIC Subnet: 255.255.255.0
Internal NIC Gateway: (blank)
Internal NIC DNS: 192.168.16.250
External NIC IP: 75.145.XXX.XXX (one of my 5 static IPs)
External NIC Subnet: 255.255.255.248
External NIC Gateway: 75.145.XXX.XXX (Comcast gateway IP assigned after static addresses)
External NIC DNS: 126.96.36.199/76 (Preferred/Alternate)
Windows Firewall Inbound Rule
Protocol TCP to Local Port 60XXX allowed from all Remote Ports
Scope Local IP: 192.168.16.250. 75.145.XXX.XXX (external NIC IP)
Scope Remote IP: 192.168.16.XXX (LAN machine IP)
Profile: applies to Domain, Private and Public
Hello Jon_Denver and welcome,
The easiest means by which I know to accomplish your objectives are as follows:
A.) if your 2012 Server (2012Svr) is using an " External NIC IP: 75.145.XXX.XXX (one of my 5 static IPs) ", then this should be physically connected to any one of the DPC3939B (DPC) LanPorts 1-4. In order to implement the highest security for your 2012Svr, it would be necessary for you to ONLY have the actual Applications and/or Control Facilit(ies) Port(s) open by performing the following:
* first in FW IP4 you should enable (by unchecking) the Disable True Static IP Subnet Only radio button. By enabling this it gives you complete security control on your static IP devices as I will explain below.
* then go to Advanced, Static IP Port Management, uncheck disable all Static IP rules, then make sure the "block all ports with the following exceptions" menu-item is selected in the drop-down menu.
* next now click the add button to ONLY open the Ports that your applications and/or control facility running on your 75.145.XXX.XXX static IP routable address. So, this means that whatever port you need open on your 2012Svr for internal or external routing you can open the(se) port(s) only in order to faciliate any application and/or control your transactional processing.
This is one of the most straight forward means to route DPC internal and/or external traffic from any static IP routable address device. Please let me know if I have misunderstood any of your networking business requiements.
Hope this helps you out.
I have similar setup and I followed your instructions. Right before I add ADD NEW any port forwarding rules, I would not expect any port forwarding to my servers, right? But when I tested my mail server with mxtoolbox.com, it came back with response, and my web server is still browseable from Internet.
Anyone has similar situation? If so, this is a major fault with DPC3939B.
This is my DPC3939B: