Re: [m0n0wall] Inbount NAT won't answer on WAN i/f

From:	Gwyn Evans <gwyn dot evans at gmail dot com>
To:	Dub Dublin <dub at infowave dot com>
Cc:	m0n0wall at lists dot m0n0 dot ch
Subject:	Re: [m0n0wall] Inbount NAT won't answer on WAN i/f
Date:	Tue, 16 Nov 2004 10:19:18 +0000
Hi,
  I'm certainly no expert, but I've got a m0n0wall running between my
local LAN (upstairs - 192.168.99.x) and a 'WAN' (a WiFi link to my
downstairs network - 192.168.23.x).  I wanted to give my downstairs PC
access to my networked printer (192.168.99.254) and eventually managed
it (with v1.1) as follows...

Firewall/NAT
  if: WAN, extAddr: Interface, Prot:TCP, ExtPort: 9100 NAT IP:
192.168.99.254, Local:9100

i.e. just what you'd expect, but I'm fairly sure that I *also* needed
the following, which I didn't expect to...

Firewall/Rules
  if:WAN  Act:Pass, From:Any, SourcePort:Any, Dest:192.168.99.254,
DestPort: 9100

  i.e. I needed to open the port for direct access from the WAN before
the NAT would work, despite the client going via the WAN IP (i.e.
192.168.23.13).
  
/Gwyn

On Tue, 16 Nov 2004 01:07:06 -0600, Dub Dublin <dub at infowave dot com> wrote:
> I've got what should be a fairly simple m0n0wall setup, and I'm
> reasonably competent (having once managed Chevron's transition to IP),
> but so far, I can't get m0n0's Inbound NAT working.  Here are the details:
> 
> M0n0wall v1.11 running on a net4801 (1.1 was originally loaded, and showed
> the same problem - I upgraded to 1.11 yesterday with no apparent change
> in the problem I'm seeing - BTW, darn slick upgrade mechanism - great
> job!)  Static IP on WAN side, M0n0 box has static IP on LAN side and
> also serves DHCP addresses on LAN side.  The LAN also hosts a mail and
> web server, so the firewall needs to forward ports 25 and 80 from its
> WAN address to that server's address on the LAN (via inbound NAT.)
> 
> Inbound NAT has been configured (very carefully, several times,
> including from scratch) per the documentation, including automatic
> creation of firewall rules to match the NAT settings.
> 
> The problem:  port scans or any attempts to connect to ports 25 or 80 on
> the WAN IP address fail, so something is wrong in the firewall itself.
> (Both succeed when run directly against the web/mail server's LAN
> address.)  Hardware and other problems can be eliminated, since I also
> have PPTP access turned on, and can both successfully port scan port
> 1723 as well as make a successful PPTP connection through the WAN port
> to the LAN, so basic operation of hardware, OS, firewall rules, and the
> IP stack can be shown.  Firewall logs show no dropped or blocked traffic
> to port 25 or 80.
> 
> To be honest, I'm baffled as to why this isn't working - I suppose I
> could try 1:1 NAT, but I really don't want to open up anything inbound
> other than the two ports that need to get redirected to the web/mail
> server.  What am I doing wrong?
> 
> Any suggestions?  I can post my config.xml if that will help, but I
> figure I can't be the first one to discover that Inbound NAT doesn't
> seem to work as advertised right out of the box.
> 
> Thanks,
> 
> Dub Dublin
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> 
>