Description
The Blocked Address List on the Gateway overrides any Allowed Addresses that fall under a existing Blocked Address List IP or Range. This is because the Blocked Address List is loaded into the firewall settings before the Allowed Address List.
Note: Currently this does not affect the 4.0 Version of the Management Gateway, only the 4.2 Version of the Management Gateway.
For Example:
If you have many machines located across a variety of 192.168.x.0 subnets and 192.168.0.0/16 is Blocked in the LDMG Firewall then NO address in the Allowed section that starts with 192.168. will work. If you drop the 192.168.0.0/16 from the Blocked list everything works.
This applies to ALL IP addresses or ranges in the Blocked Address List especially private IP 10-net, 172-net, and 192-net ranges, not just the 192.168 range.
The Problem:
What if you are trying to be more security conscious and want to lockdown internal access to the gateway from all the other internal machines.
For Instance:
- External Firewall NAT's a public IP address to the Internal Address of the Management Gateway
- The External Firewall's Internal IP address is 192.168.7.1
- The Management Gateway's Internal IP address is 192.168.7.21
- A Network sniffer show that traffic goes between those 2 destinations without other hops.
- The DMZ is where these machines are contained exist within the 192.168.7.x subnet.
If the firewall has 192.168.0.0/16 blocked, then no traffic gets to gateway, even when the specific internal IP addresses and ranges (192.168.7.21, 192.168.7.1, 192.168.7.0/24) are inserted into the Allowed area. No External traffic can access the gateway web pages unless their Public IP is specified in the Allowed address listing.
If the 192.168.0.0/16 is dropped then everything works correctly. If you do not want to drop the whole range, and only want the 192.168.7.0 subnet range to have access, then you have to find a work around. One work around that has been tested is to block only the specific areas of the subnetting around 192.168.7 in the blocked area.
Such as removing the 192.168.0.0/16 and adding these entries:
192.168.128.0/17
192.168.64.0/18
192.168.32.0/19
192.168.16.0/20
192.168.8.0/21
192.168.0.0/22
192.168.4.0/23
192.168.6.0/24
This is SPECIFIC to the 192.168.7.0/24 range and will not work on other ranges.
For other ranges to work you have to do some subnet calculations
Resolution
- Remove the blocked 192.168.0.0/16 range completely.
- Replace the blocked 192.168.0.0/16 range to work around the section.
Such as this list not blocking the 192.168.7.x range:
192.168.128.0/17
192.168.64.0/18
192.168.32.0/19
192.168.16.0/20
192.168.8.0/21
192.168.0.0/22
192.168.4.0/23
192.168.6.0/24