[ previous ] [ next ] [ threads ]
 From:  Jim McBeath <jimmc at macrovision dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  incoming NAT to DMZ [was Can't ping DMZ]
 Date:  Fri, 31 Oct 2003 13:20:23 -0800
On Fri, Oct 31, 2003 at 09:10:18PM +0100, Manuel Kasper wrote:
> http://m0n0.ch/wall/list/? 
> action=show_msg&actionargs[]=10&actionargs[]=63

Ah, I'm blind.  Sorry about that.

My real problem is that port forwarding from WAN port 80 to DMZ port 80 is
not working, although perhaps this has to do with my network configuration
(described in more detail below).  I can access my web server from the
LAN, but when I try to access it from the WAN using port forwarding,
the client just hangs.

On the m0n0wall, the "ipnat -lv" output includes

  rdr sis2 port 80 -> port 80 tcp

and the "ipfstat -hio" output includes 

  7 pass in log quick proto tcp from any to port = 80 keep state group 200

(where 200 is the group for sis2, the WAN)

The firewall log includes:

  11:09:48.320817 sis2 @200:5 p,56379 ->,80 PR tcp len 20 60 -S K-S IN
  11:09:48.320987 sis1 @200:5 p,56379 ->,80 PR tcp len 20 60 -S K-S

So it looks like the packet is going out to the DMZ web server, but there
is nothing in the log files on my web server to indicate that a connection
got through (I don't have ip filtering set up on it, so I don't have an IP

My network actually has two gateway machines doing NAT onto two different
public IP addresses.  The other gateway box is a Netscreen, which also
forwards port 80 to the web server on the DMZ, and that works.  The web
server has a default route set up to point back to the Netscreen; is that
why it can't respond to the Soekris?  If so, is there a way to set up
my DMZ web server to respond to NATed port forwarding from two different
boxes, or is that hopeless?