Configuring 7206 for NAT and access control in multi-IP/multi-server environment
I just bought an ER7206 to replace a failing NetGear router. From what I can see so far, it looks like it will be a very tedious and convoluted operation to configure it to match what my NetGear router was providing.
First, a little context: my current network has multiple servers, as well as development workstations. Most of the servers are accessible to the Internet, as are a couple of the workstations so that remote people can do testing. I have a /28 subnet of external IP addresses, so there are over a dozen external addresses that can be mapped via NAT to internal machines on a one-to-one basis. The accessible services vary by system, and include HTTP/HTTPS, SSH, SMTP, FTP, RDP, SQL, and so on. Not all services are available to the world--several systems have access restrictions such that certain services are only available by people on specific remote IP addresses. In a few cases, to avoid problems with other restrictive firewalls, we do port translation in addition to the other access restrictions.
On my NetGear router, I can set all of these restrictions in combination on a single configuration page. That means that I can set up a NAT routing from external address to internal address, restrict that access to only certain remote IP addresses or address ranges, and create a port translation from, for example, 8080 to 1433.
From what I can see from quite a bit of time trying to do similar things on the 7206, and reading the documentation, it seems that I can likely accomplish the same setup, but it will involve a lot of switching back and forth among multiple configuration pages and will get very tedious very quickly. It seems that I will have to create an IP Address name for each of my internal machines, then put each of those into its own IP Group before I can even start dealing with access issues. In addition, I will have to create separate IP address groups for each collection of remote addresses that I want to reference in an access control configuration. Any port translation will bring a different configuration page into play. And I'll have to do pretty much the same IP Address and IP Group assignment for each external address I've been assigned, all so that I can finally say "Route these protocols on this address to this internal machine, but only if they come from this allowed list of addresses". This kind of tedium gets quite tiring in a fairly dynamic environment since we put up and tear down development servers on a regular basis, and we really don't need to go through all these steps.
I hope that someone can tell me that I've completely missed the mark as to how one deals with these situations on the 7206. If there's some easy magic way to handle all of this, I'd really appreciate knowing it. Otherwise, if I have pretty much nailed the situation in this rather lengthy diatribe, then I may be giving serious consideration to sending it back and looking for another solution.