[ previous ] [ next ] [ threads ]
 
 From:  Kev Latimer <kev at ne23 dot net>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Re: Re: Re: Public IP's on OPT
 Date:  Mon, 13 Dec 2004 08:01:49 +0000
Jesse Guardiani wrote:

>Kev Latimer wrote:
>
>  
>
>>Jesse Guardiani wrote:
>>
>>    
>>
>>>Kev Latimer wrote:
>>>
>>> 
>>>
>>>      
>>>
>>>>I'm even making an arse of replying to emails now, this really isn't a
>>>>good day!
>>>>
>>>>As should have said:
>>>>
>>>>Josh - I didn't set any outbound NAT entries, OPT2 itself should (I
>>>>think) only be seen but the m0n0 as it is purely to be an IPSEC
>>>>endpoint, all the LAN traffic being routed up the tunnel.  That said, I
>>>>did exactly as you explained below and still no luck.  Running 1.11 on a
>>>>CF card on an Epia PD1000.
>>>>
>>>>Jesse - how did you get your OPT interface to respond to pings?  If I
>>>>can get that bit right I think I'll stand a chance of kludging the rest
>>>>together :)
>>>>   
>>>>
>>>>        
>>>>
>>>Action....: Pass
>>>Interface.: WAN
>>>Protocol..: ICMP
>>>Source....: Any
>>>Source Rng: Any -> Any
>>>Dest......: My WAN IP Address
>>>Dest Rng..: Any -> Any
>>>
>>>I also have a rule allowing UDP 33435 -> 33524 to the same WAN IP. This
>>>allows traceroutes.
>>>
>>> 
>>>
>>>      
>>>
>>Is there any way at all to get an OPT interface to respond to anything
>>on a public IP?  I've tried plugging it into a couple of ADSL routers on
>>a number of different IP's and no matter what rules I put in place (that
>>have the desired effect when applied to the WAN interface) the firewall
>>logs still show all these pings, traceroutes and IPSec/ESP attempts
>>being blocked.
>>
>>I think I really need a definitive answer here - can I actually have
>>multiple public IP's using OPT interfaces on a m0n0.  I'm tearing my
>>hair out here, I cannot see what I'm doing wrong!
>>    
>>
>
>Yes, you can. I'm doing it right now on my OPT1 interface. Prerequisites:
>
>1.) Your ISP has to route a subnet or multiple IPs to you.
>2.) You need to use either 1:1 NAT or turn on Advanced Outbound NAT, per
>    this FAQ:
>        http://m0n0.ch/wall/docbook/faq-ipalias.html
>
>However, that doesn't have anything to do with whether or not you're
>allowing ICMP ping packets or ANY OTHER PACKETS to your OPT1 interface.
>Remember, m0n0wall usually denies traffic by default. You have to
>explicitly allow traffic to and from your OPT1 interface. Here are my
>rules for that:
>
>
>  <rule>
>   <type>pass</type>
>   <interface>wan</interface>
>   <source>
>    <any/>
>   </source>
>   <destination>
>    <network>opt1</network>
>   </destination>
>   <descr>WAN -&gt; Public</descr>
>  </rule>
>
>
>  <rule>
>   <type>pass</type>
>   <interface>opt1</interface>
>   <source>
>    <any/>
>   </source>
>   <destination>
>    <any/>
>   </destination>
>   <descr>Public -&gt; any</descr>
>  </rule>
>
>
>  
>

Woooooo!  I've absolutely no idea why that rule on the WAN interface (to 
the OPT2 subnet in my case) should make stuff happen, but it does, and 
that's good enough for me!  I've added rules only for ESP now and the 
tunnels work exactly as I expected.

You have no idea how happy I am, having spent half the weekend trying to 
get a bootable LEAF compact flash card I really was getting desperate! lol

I don't want to push my luck, but can you tell me why that rule makes it 
work, because I've never seen something like that needed, although I've 
never tried to something like this before either...

Thanks again mate,

Kev