|
||||||||
Kev Latimer wrote: [...] >>However, that doesn't have anything to do with whether or not you're >>allowing ICMP ping packets or ANY OTHER PACKETS to your OPT1 interface. >>Remember, m0n0wall usually denies traffic by default. You have to >>explicitly allow traffic to and from your OPT1 interface. Here are my >>rules for that: >> >> >> <rule> >> <type>pass</type> >> <interface>wan</interface> >> <source> >> <any/> >> </source> >> <destination> >> <network>opt1</network> >> </destination> >> <descr>WAN -> Public</descr> >> </rule> >> >> >> <rule> >> <type>pass</type> >> <interface>opt1</interface> >> <source> >> <any/> >> </source> >> <destination> >> <any/> >> </destination> >> <descr>Public -> any</descr> >> </rule> >> >> >> >> > > Woooooo! I've absolutely no idea why that rule on the WAN interface (to > the OPT2 subnet in my case) should make stuff happen, but it does, and > that's good enough for me! I've added rules only for ESP now and the > tunnels work exactly as I expected. > > You have no idea how happy I am, having spent half the weekend trying to > get a bootable LEAF compact flash card I really was getting desperate! lol > > I don't want to push my luck, but can you tell me why that rule makes it > work, because I've never seen something like that needed, although I've > never tried to something like this before either... Well, I'm not an expert, but my understanding is that m0n0wall blocks EVERYTHING by default, except traffic from the LAN. Therefore, if you are not doing NAT on a particular interface, then you need to tell m0n0wall to allow you to pass traffic to that interface. Thankfully, m0n0wall handles the routing itself, automatically, but you still have to explicitly allow the traffic. -- Jesse Guardiani, Systems Administrator WingNET Internet Services, P.O. Box 2605 // Cleveland, TN 37320-2605 423-559-LINK (v) 423-559-5145 (f) http://www.wingnet.net |