[ previous ] [ next ] [ threads ]
 
 From:  "Grilli, Laurent" <lgrilli at be dot tiauto dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  [m0n0wall] NAT on the LAN Interface
 Date:  Fri, 29 Oct 2004 13:06:11 +0200
Hi,

I have tried the following in <shellcmd>echo 'map sis0 192.168.1.100/32 ->
10.10.1.1/32' | ipnat -f -
<shellcmd>

BUT the rules disappear after a few minutes ! ? Is it expected, unsupported.
When we do it from
Exec.php, it works fine all the time until of course we reboot the firewall


Any help or guidelines on that matter would be welcome

Thanks in advance
Laurent Grilli



Hi again,

Ok I have updated the "diagram" as it was not readable...i found that 

<shellcmd> could automate the extra nat rules that we need...
Like <shellcmd>echo 'map sis0 192.168.1.100/32 -> 10.10.1.1/32' | ipnat -f -

So for now we have fixed our problems but is it possible to add this feature
(NAT on LAN) in 1.2
Thanks in advance,
Laurent Grilli



Hi all,

I have not seen this case in the back traffic, so I do apologies if it as
been already answered :)

We use m0n0wall in our corporation to protect our lan from WIFI devices on
our factory and we just allow specific IP on specific port to talk to our
LAN. So I think that we have a different setup that the "normal" use of
m0n0wall.

Here is what we do (open the mail in fullscreen):

 WIFI (Access point behind m0n0)            LAN         REMOTE LAN VIA VPN

 192.168.x.x               ------------   10.10.1.X   | |    10.10.10.x
                           | m0n0wall |               |V|
                    TELNET |W|      |L|               |P|
(BAR CODE READER)  ------->|A|      |A| ------->------|N| -- >  AS/400 
 192.168.1.100          .1 |N|      |N|.1             | |    10.10.10.10
                           ------------  



We have made the following on the m0n0wall :
  Firewall rules
   -a rule to allow TELNET from the WIFI LAN to the AS 400 10.10.10.10

  NAT rules
   - inbound rules : no inbound rules
   - outbound rules:  disabled so the AS/400 is not natted to the wan
interface.
   
AND  a manually added rule to NAT the source ip of the packet coming from
the WAN : map sis0 192.168.1.100/32 -> 10.10.1.1/32

   
The problem that we face is that we don't want to route the WIFI network on
our LAN ,so we wanted to NAT the source of the packet coming from the WAN,
we didn't find a way to do a NATing on the LAN Interface via the GUI, so we
used the exec.php with the following "ugly" command : echo 'map sis0
192.168.1.100/32 -> 10.10.1.1/32' | ipnat -f -

This work fine and the source address is NATed on the LAN interface. Could
you modify the gui to be able to setup a NAT on the LAN interface (no choice
on the drop down list) or at least the ability to enter from the gui manual
ipnat command, so they will be stored on the xml file like normal rule but
perhaps seen in the gui as "manual edited rules".

One other way will be to use the OPT for the LAN so we can setup NATing the
OPT interface via the GUI, but how to manage the firewall as we will need to
create new rules for the management and I'm not sure that the httpd will
bind to this ip address

We have tried to upload a rc.conf.local or rc.local with our command echo...
| ipnat but it seems that it's to early in the boot process and it get
flushed with the rules coming from config.xml

Another remark: when we setup the WAN interface we need to setup a default
gateway (sound normal for normal deployment LAN -> INTERNET) but in this
scenario we don't need a default gateway. It would be nice to be able to
tick an option in the gui to turn off the needs of a default gateway. I know
that It's useful and less error prone for 90 % of the deployment of m0n0wall
to have it requested by default.

Thanks for any advices, feedback, comments

Laurent Grilli
International Technical Support Manager
TI Automotive

The information contained in this transmission may contain privileged and
confidential information.  It is intended only for the use of the
person(s) named above. If you are not the intended recipient, you are
hereby notified that any review, dissemination, distribution or
duplication of this communication is strictly prohibited. If you are not
the intended recipient, please contact the sender by reply email and
destroy all copies of the original message. This communication is from TI
Automotive.

---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch

The information contained in this transmission may contain privileged and
confidential information.  It is intended only for the use of the
person(s) named above. If you are not the intended recipient, you are
hereby notified that any review, dissemination, distribution or
duplication of this communication is strictly prohibited. If you are not
the intended recipient, please contact the sender by reply email and
destroy all copies of the original message. This communication is from TI
Automotive.