[ previous ] [ next ] [ threads ]
 
 From:  Dub Dublin <dub at infowave dot com>
 To:  Dub Dublin <dub at infowave dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Inbount NAT won't answer on WAN i/f
 Date:  Tue, 16 Nov 2004 10:35:10 -0600
Recap of problem, this time including a security-modified config.xml as 
it sits right now (note this is the modified state mentioned in my bug 
report, not the original state of the config.xml file with the broken 
line for the pass action on the automatically-created rules.)

Dub Dublin wrote:

> I've got what should be a fairly simple m0n0wall setup, and I'm 
> reasonably competent (having once managed Chevron's transition to IP), 
> but so far, I can't get m0n0's Inbound NAT working.  Here are the 
> details:
>
> M0n0wall v1.11 running on a net4801 (1.1 was originally loaded, and 
> showed the same problem - I upgraded to 1.11 yesterday with no 
> apparent change in the problem I'm seeing - BTW, darn slick upgrade 
> mechanism - great job!)  Static IP on WAN side, M0n0 box has static IP 
> on LAN side and also serves DHCP addresses on LAN side.  The LAN also 
> hosts a mail and web server, so the firewall needs to forward ports 25 
> and 80 from its WAN address to that server's address on the LAN (via 
> inbound NAT.)
>
> Inbound NAT has been configured (very carefully, several times, 
> including from scratch) per the documentation, including automatic 
> creation of firewall rules to match the NAT settings.
>
> The problem:  port scans or any attempts to connect to ports 25 or 80 
> on the WAN IP address fail, so something is wrong in the firewall 
> itself.  (Both succeed when run directly against the web/mail server's 
> LAN address.)  Hardware and other problems can be eliminated, since I 
> also have PPTP access turned on, and can both successfully port scan 
> port 1723 as well as make a successful PPTP connection through the WAN 
> port to the LAN, so basic operation of hardware, OS, firewall rules, 
> and the IP stack can be shown.  Firewall logs show no dropped or 
> blocked traffic to port 25 or 80.
>
Here is my config.xml, slightly edited for security - I still cannot 
figure out why ports 80 and 25 are not answered from the outside with 
this config.  Any suggestions?  (I haven't tried the suggestionto add 
Proxy ARP for the LAN server being NATted, but that *shouldn't* be 
required, and is definitely not mentioned in the documentation for 
getting basinc Inbound NAT working...

<?xml version="1.0"?>
<m0n0wall>
    <version>1.4</version>
    <system>
        <hostname>firewall</hostname>
        <domain>foo.com</domain>
        <dnsallowoverride/>
        <username>admin</username>
        <password>gibberish here</password>
        <timezone>America/Chicago</timezone>
        <time-update-interval>300</time-update-interval>
        <timeservers>pool.ntp.org</timeservers>
        <webgui>
            <protocol>http</protocol>
            <port/>
        </webgui>
        <dnsserver>160.123.1.7</dnsserver>
        <dnsserver>160.123.1.8</dnsserver>
    </system>
    <interfaces>
        <lan>
            <if>sis0</if>
            <ipaddr>192.168.100.254</ipaddr>
            <subnet>24</subnet>
        </lan>
        <wan>
            <if>sis1</if>
            <mtu/>
            <blockpriv/>
            <spoofmac/>
            <ipaddr>64.128.220.74</ipaddr>
            <subnet>29</subnet>
            <gateway>64.128.220.78</gateway>
        </wan>
        <opt1>
            <descr>OPT1</descr>
            <if>sis2</if>
        </opt1>
    </interfaces>
    <staticroutes/>
    <pppoe/>
    <pptp/>
    <bigpond/>
    <dyndns>
        <type>dyndns</type>
        <username/>
        <password/>
        <host/>
        <mx/>
    </dyndns>
    <dhcpd>
        <lan>
            <enable/>
            <range>
                <from>192.168.100.100</from>
                <to>192.168.100.199</to>
            </range>
            <defaultleasetime/>
            <maxleasetime/>
        </lan>
    </dhcpd>
    <pptpd>
        <mode>server</mode>
        <redir/>
        <localip>192.168.100.253</localip>
        <remoteip>192.168.100.224</remoteip>
        <radius>
            <server/>
            <secret/>
        </radius>
        <user>
            <name>test</name>
            <ip/>
            <password>secret</password>
        </user>
    </pptpd>
    <dnsmasq>
        <enable/>
    </dnsmasq>
    <snmpd>
        <syslocation/>
        <syscontact/>
        <rocommunity>public</rocommunity>
    </snmpd>
    <diag>
        <ipv6nat>
            <ipaddr/>
        </ipv6nat>
    </diag>
    <bridge/>
    <syslog>
        <reverse/>
        <nentries>50</nentries>
        <remoteserver/>
    </syslog>
    <nat>
        <rule>
            <protocol>tcp</protocol>
            <external-port>25</external-port>
            <target>192.168.100.1</target>
            <local-port>25</local-port>
            <interface>wan</interface>
            <descr>SMTP WAN-&gt;192.168.100.1</descr>
        </rule>
        <rule>
            <protocol>tcp</protocol>
            <external-port>80</external-port>
            <target>192.168.100.1</target>
            <local-port>80</local-port>
            <interface>wan</interface>
            <descr>HTTP -&gt; 100.1:80</descr>
        </rule>
    </nat>
    <filter>
        <rule>
            <type>pass</type>
            <interface>wan</interface>
            <protocol>tcp</protocol>
            <source>
                <any/>
            </source>
            <destination>
                <address>192.168.100.1</address>
                <port>25</port>
            </destination>
            <descr>NAT SMTP WAN-&gt;100.1:25</descr>
        </rule>
        <rule>
            <type>pass</type>
            <interface>wan</interface>
            <protocol>tcp</protocol>
            <source>
                <any/>
            </source>
            <destination>
                <address>192.168.100.1</address>
                <port>80</port>
            </destination>
            <descr>NAT HTTP -&gt; 100.1:80</descr>
        </rule>
        <rule>
            <type>pass</type>
            <interface>pptp</interface>
            <protocol>tcp/udp</protocol>
            <source>
                <any/>
            </source>
            <destination>
                <network>lan</network>
            </destination>
            <descr>Default PPTP TCP/UDP-&gt;any</descr>
        </rule>
        <rule>
            <type>pass</type>
            <interface>pptp</interface>
            <protocol>icmp</protocol>
            <source>
                <any/>
            </source>
            <destination>
                <network>lan</network>
            </destination>
            <descr>Default PPTP ICMP-&gt;any</descr>
        </rule>
        <rule>
            <type>pass</type>
            <descr>Default LAN -&gt; any</descr>
            <interface>lan</interface>
            <source>
                <network>lan</network>
            </source>
            <destination>
                <any/>
            </destination>
        </rule>
    </filter>
    <shaper/>
    <ipsec/>
    <aliases/>
    <proxyarp/>
    <wol/>
</m0n0wall>