[ previous ] [ next ] [ threads ]
 From:  "James W. McKeand" <james at mckeand dot biz>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] Inbount NAT won't answer on WAN i/f
 Date:  Tue, 16 Nov 2004 09:38:17 -0500
Stupid question, but are you scanning from the inside of the firewall?
The Inbound NAT page states - "Note: It is not possible to access
NATed services using the WAN IP address from within LAN (or an
optional network)."

I just tried to test what would happen if I created a Inbound NAT and
firewall rules for SMTP (I do not host any  of my mail or web on my
LAN, but I do have servers...)  I created an Inbound NAT on my WAN
interface IP with external port and internal port 25 and my SBS as the
NAT IP. Allowed creation of the Firewall Rule (Pass -> Interface: WAN
-> Source IP: any -> Source Port: any -> Destination IP: SBS ->
Destination Port: 25). I tested this by using remote desktop
connection to connect to a server at one of my client's site, then
used telnet from there to connect back to my WAN IP on port 25. I
connected to my SBS's Exchange as expected...

Have you tried testing from the "outside"?

James W. McKeand

-----Original Message-----
From: Dub Dublin [mailto:dub at infowave dot com] 
Sent: Tuesday, November 16, 2004 2:07 AM
To: m0n0wall at lists dot m0n0 dot ch
Subject: [m0n0wall] Inbount NAT won't answer on WAN i/f

I've got what should be a fairly simple m0n0wall setup, and I'm 
reasonably competent (having once managed Chevron's transition to IP),

but so far, I can't get m0n0's Inbound NAT working.  Here are the

M0n0wall v1.11 running on a net4801 (1.1 was originally loaded, and
the same problem - I upgraded to 1.11 yesterday with no apparent
in the problem I'm seeing - BTW, darn slick upgrade mechanism - great 
job!)  Static IP on WAN side, M0n0 box has static IP on LAN side and 
also serves DHCP addresses on LAN side.  The LAN also hosts a mail and

web server, so the firewall needs to forward ports 25 and 80 from its 
WAN address to that server's address on the LAN (via inbound NAT.)

Inbound NAT has been configured (very carefully, several times, 
including from scratch) per the documentation, including automatic 
creation of firewall rules to match the NAT settings.

The problem:  port scans or any attempts to connect to ports 25 or 80
the WAN IP address fail, so something is wrong in the firewall itself.

(Both succeed when run directly against the web/mail server's LAN 
address.)  Hardware and other problems can be eliminated, since I also

have PPTP access turned on, and can both successfully port scan port 
1723 as well as make a successful PPTP connection through the WAN port

to the LAN, so basic operation of hardware, OS, firewall rules, and
IP stack can be shown.  Firewall logs show no dropped or blocked
to port 25 or 80.

To be honest, I'm baffled as to why this isn't working - I suppose I 
could try 1:1 NAT, but I really don't want to open up anything inbound

other than the two ports that need to get redirected to the web/mail 
server.  What am I doing wrong?

Any suggestions?  I can post my config.xml if that will help, but I 
figure I can't be the first one to discover that Inbound NAT doesn't 
seem to work as advertised right out of the box.


Dub Dublin

To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch