Applicable to: version 9.5.3. build 14 onwards
Same zone firewall rule is required when access to the internally hosted servers is to be provided to the internal users.
It is also popularly known as “Loopback” firewall rule.
Commonly, a virtual host is created to map the services of the public IP address to the services of the internally hosted servers.
Cyberoam automatically creates same zone firewall rule for the zone of the virtual host mapped IP address. For example, if virtual host is created for the LAN mapped IP zone then LAN-to-LAN firewall rule is created. Firewall rule is created for the service specified in virtual host.
Let us consider a hypothetical network were in web server is hosted in the internal network and a website - www.sample.com is hosted in it. The public IP address to access the site is 18.104.22.168.
To allow access to this web site from external world, you need to create
- virtual host which will map public IP address (22.214.171.124) to actual Web server (10.10.10.5)
- WAN to LAN firewall rule
while LAN-to-LAN firewall rule is automatically created by Cyberoam.
Now, when an internal user (10.10.10.17) tries to access www.sample.com then the access request will be sent to the public IP address i.e. 126.96.36.199 and then it will be forwarded to actual Web server i.e. 10.10.10.5. But as Cyberoam does not perform NATting and requesting IP address and the server are on the same subnet, the Web server will be directly sent the reply to the internal user.
In this case, request SYN packet will route through Cyberoam but SYN/ACK packet will not route through Cyberoam. Due to this Cyberoam will drop the request and three-way handshake will remain incomplete and user will not be able to access the site.
To overcome this problem, LAN-to-LAN firewall rule is required. This rule will forward the request to Web server with Cyberoam Internal IP address and the Web server will send reply to Cyberoam.
In certain deployments like when access to internally hosted server is to be provided to the internal users only, one has to create same zone firewall rules manually.