[ previous ] [ next ] [ threads ]
 
 From:  "Matt Horton" <sivone at darkforestsoftware dot com>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  OPT1 to LAN woes.
 Date:  Fri, 22 Oct 2004 19:27:59 -0400
Hello. I've been messing around with this for several weeks, but I can't
seem to find any kind of solution at all.

I have three interfaces on my m0n0wall PC (IDE version): WAN, LAN, and
OPT1. LAN to WAN and OPT1 to WAN work perfectly - both interfaces obey
all filter rules and whatnot. However, OPT1 to LAN doesn't work as
expected at all.

WAN IP is 192.168.0.2
LAN IP is 192.168.1.1
OPT1 IP is 192.168.2.1

There is no bridging in place.

There are two scenarios I can use:

First, with no static route in place, m0n0wall will deny traffic to the
LAN even if there's a rule in place to explicitly pass it. For example,
I can make a rule that says PASS OPT1 TCP traffic from 192.168.2.100
port 1000 to 192.168.1.100 port 1000, then watch as the communication
fails. Upon reviewing the firewall log, I'll see an entry that says that
OPT1 TCP traffic was DENIED from 192.168.2.100 port 1000 to
192.168.1.100 port 1000 by the default rule.

The second scenario involves creating a static route for the OPT1
interface. It passes traffic destined for 192.168.1.X to gateway
192.168.2.1. When this is in effect, all traffic passes and everything
works great, except it doesn't obey any filter rules on the LAN
interface. I can DENY traffic to port 1024 on 192.168.1.100 but be able
to connect to that port just fine from a PC on the OPT1 interface. Even
denying all traffic from the interface 
has no effect.

Regardless of either situation, ICMP traffic is not affected by this
issue (I can ping from anything to anything). I'm totally stumped on
this.

My current ruleset is (for troubleshooting purposes)

OPT1: allow any from OPT1 subnet to any
LAN: allow any from LAN subnet to any

Yet, all traffic is still blocked from OPT1 to LAN. Please help!!