[ previous ] [ next ] [ threads ]
 From:  "Grilli, Laurent" <lgrilli at be dot tiauto dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  NAT on the LAN Interface
 Date:  Fri, 22 Oct 2004 14:36:12 +0200
Hi all,

I have not seen this case in the back traffic, so I do apologies if it as
been already answered :)

We use m0n0wall in our corporation to protect our lan from WIFI devices on
our factory and we just allow specific IP on specific port to talk to our
LAN. So I think that we have a different setup that the "normal" use of

Here is what we do (open the mail in fullscreen):

LAN                              OTHER LAN 

       192.168.x.x                         ------------           10.10.1.X
                                           | m0n0wall |  
                                TELNET     |W|      |L|
  TELNET (BAR CODE READER)  -------------->|A|
|A|-----------------------------------------------------      AS/400  |N|      |N|

We have made the following on the m0n0wall :
  Firewall rules
   -a rule to allow TELNET from the WIFI LAN to the AS 400

  NAT rules
   - inbound rules : no inbound rules
   - outbound rules:  disabled so the AS/400 is not natted to the wan
AND  a manually added rule to NAT the source ip of the packet coming from
the WAN : map sis0 ->

The problem that we face is that we don't want to route the WIFI network on
our LAN ,so we wanted to NAT the source of the packet coming from the WAN,
we didn't find a way to do a NATing on the LAN Interface via the GUI, so we
used the exec.php with the following "ugly" command : echo 'map sis0 ->' | ipnat -f -

This work fine and the source address is NATed on the LAN interface. Could
you modify the gui to be able to setup a NAT on the LAN interface (no choice
on the drop down list) or at least the ability to enter from the gui manual
ipnat command, so they will be stored on the xml file like normal rule but
perhaps seen in the gui as "manual edited rules".

One other way will be to use the OPT for the LAN so we can setup NATing the
OPT interface via the GUI, but how to manage the firewall as we will need to
create new rules for the management and I'm not sure that the httpd will
bind to this ip address

We have tried to upload a rc.conf.local or rc.local with our command echo...
| ipnat but it seems that it's to early in the boot process and it get
flushed with the rules coming from config.xml

Another remark: when we setup the WAN interface we need to setup a default
gateway (sound normal for normal deployment LAN -> INTERNET) but in this
scenario we don't need a default gateway. It would be nice to be able to
tick an option in the gui to turn off the needs of a default gateway. I know
that It's useful and less error prone for 90 % of the deployment of m0n0wall
to have it requested by default.

Thanks for any advices, feedback, comments

Laurent Grilli
International Technical Support Manager
TI Automotive

The information contained in this transmission may contain privileged and
confidential information.  It is intended only for the use of the
person(s) named above. If you are not the intended recipient, you are
hereby notified that any review, dissemination, distribution or
duplication of this communication is strictly prohibited. If you are not
the intended recipient, please contact the sender by reply email and
destroy all copies of the original message. This communication is from TI