AVN Fritzbox and the 'Exposed Host' Setting
The Fritzbox 7340 is the only real available VDSL modem/router in the Netherlands. Too bad, since it has some bugs (but what piece of software hasn't???). Fortunately, the router works well, just as long as you use it as the only networking device in your (small) network.
In the last couple of days I've been busy to add the Juniper SRX100 branch firewall to my local home network. The idea was the following:
- The Fritzbox (FB) will remain the Internet router
- My web/mail/ssh server is placed behind the SRX100
- All the individual portforward rules in the Fritzbox are directed to the SRX100 by selecting the 'Exposed Host' in the FB.
The advantage of the 'Exposed Host' setting is that every packet is forwarded to the firewall, and this seemed to work. Seemed... because not everything worked as advertised.
Every connection which uses some sort of SSL/TLS encryption failed for some reason. I initially thought that it had something to do with the two NAT devices chained together, but I was wrong...
The 'Exposed Host' setting in the FB isn't working as it should. Adding explicit portforward rules in the FB to my SRX100 solved the problem. This lead me to do the following;
- Add the SSL/TLS portforward connections by hand in the FB
- Use the Exposed Host setting for all other protocols.
This way I still have control (to some extend) over the rule base in the SRX100.
NOTE: There is a firmware update for the FB at this moment (99.04.89), but the release notes don't mention anything in regards to this 'feature'. So I will still file a bugreport @ AVN
Reader Comments (2)
Hallo Willem,
is nu het probleem met firmware 99.05.22 opgelost? ik wil graag hetzelfde gaan toepassen en zou graag willen weten of nu de exposed host volledig werkt
Hoi Olandese,
het werkt wel, maar je moet er even rekening mee houden dat je mogelijk voor de genoemde protocollen een explicite entrie moet aanmaken in de forwarding tabel in de FritzBox.
In mijn FritzBox heb ik ze inmiddels niet meer afzonderlijk nodig. Een enkele entry voor de exposed host werkt nu (blijkbaar).