[ previous ] [ next ] [ threads ]
 From:  Gwyn Evans <gwyn dot evans at gmail dot com>
 To:  Dub Dublin <dub at infowave dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Inbount NAT won't answer on WAN i/f
 Date:  Tue, 16 Nov 2004 10:19:18 +0000
  I'm certainly no expert, but I've got a m0n0wall running between my
local LAN (upstairs - 192.168.99.x) and a 'WAN' (a WiFi link to my
downstairs network - 192.168.23.x).  I wanted to give my downstairs PC
access to my networked printer ( and eventually managed
it (with v1.1) as follows...

  if: WAN, extAddr: Interface, Prot:TCP, ExtPort: 9100 NAT IP:, Local:9100

i.e. just what you'd expect, but I'm fairly sure that I *also* needed
the following, which I didn't expect to...

  if:WAN  Act:Pass, From:Any, SourcePort:Any, Dest:,
DestPort: 9100

  i.e. I needed to open the port for direct access from the WAN before
the NAT would work, despite the client going via the WAN IP (i.e.

On Tue, 16 Nov 2004 01:07:06 -0600, Dub Dublin <dub at infowave dot com> wrote:
> I've got what should be a fairly simple m0n0wall setup, and I'm
> reasonably competent (having once managed Chevron's transition to IP),
> but so far, I can't get m0n0's Inbound NAT working.  Here are the details:
> M0n0wall v1.11 running on a net4801 (1.1 was originally loaded, and showed
> the same problem - I upgraded to 1.11 yesterday with no apparent change
> in the problem I'm seeing - BTW, darn slick upgrade mechanism - great
> job!)  Static IP on WAN side, M0n0 box has static IP on LAN side and
> also serves DHCP addresses on LAN side.  The LAN also hosts a mail and
> web server, so the firewall needs to forward ports 25 and 80 from its
> WAN address to that server's address on the LAN (via inbound NAT.)
> Inbound NAT has been configured (very carefully, several times,
> including from scratch) per the documentation, including automatic
> creation of firewall rules to match the NAT settings.
> The problem:  port scans or any attempts to connect to ports 25 or 80 on
> the WAN IP address fail, so something is wrong in the firewall itself.
> (Both succeed when run directly against the web/mail server's LAN
> address.)  Hardware and other problems can be eliminated, since I also
> have PPTP access turned on, and can both successfully port scan port
> 1723 as well as make a successful PPTP connection through the WAN port
> to the LAN, so basic operation of hardware, OS, firewall rules, and the
> IP stack can be shown.  Firewall logs show no dropped or blocked traffic
> to port 25 or 80.
> To be honest, I'm baffled as to why this isn't working - I suppose I
> could try 1:1 NAT, but I really don't want to open up anything inbound
> other than the two ports that need to get redirected to the web/mail
> server.  What am I doing wrong?
> Any suggestions?  I can post my config.xml if that will help, but I
> figure I can't be the first one to discover that Inbound NAT doesn't
> seem to work as advertised right out of the box.
> Thanks,
> Dub Dublin
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch