Manuel Kasper schrieb am 18. December 2004:
>> However as I said: on the LAN-interface everything works as
>> expected: changing the last "pass" rule to "destination not OPT1"
>> prevents any traffic to OPT1. It just doesn't work the other way
>> round: prevent traffic from OPT1 to LAN.
>Why on earth do you have a static route for 192.168.0.0/16 with
>gateway 192.168.100.100 on your *OPT1* interface?
Honestly: I have no idea how that got in there. Now I look like a
complete fool. I did notice the 192.168.0.0/16 in the "ipfw -nio"
output and suspected this already, but had no clue how it got in
there. I just assumed that would be some internal stuff, like the
default-rules to prevent accidental lock-out of the web-interface.
>Not only does that not make any sense, it's the source of your
>problem as well.
Of course it is. I never looked into "Static Routes" in the m0n0wall
config, because I just "knew", there were none, because I don't need
>That static route tells m0n0wall to let traffic between
>192.168.0.0/16 and 192.168.101.0/24 pass unconditionally
Yes, I know, the /16 netmask covers both /24 subnets. I am so sorry
for making a fuzz here, the problem was right in front of the PC the
>Remove it, and life should be better for you.
I just did and as you said: everything works fine by now. Each and
every rule on OPT1 works as expected and (of course) flawlessly.
>Lesson learned: don't use the words "confirmed" and "bug" unless
>you're really really sure you did everything right...
From my previous point of view (not being aware of the static route)
there was something seriously wrong: as soon as I put in one single
"block" rule, OPT1 could access LAN. You might see, how I got the idea
of a supposed "bug".
I just never got the idea to look into the "static routes", since I
never thought something here could affect the rules on OPT1 in that
way. And I wasn't aware, that I obviously put something in here. Of
course I realize, that the problem was in front of the screen the
Anyway: in addition to a public apology (I am really, really sorry to
be that stupid and to write of a "bug") I owe you big time for finding
this one out. Thank you VERY much for looking into my (stupid) config
and finding that ludicrous static route. Without you I still would not
be able to use my WLAN.
>Now, I've learned a lesson too.
On the bright side: not everything was a waste of time ;-)
>This automatic implicit routing feature will be made optional, with
>default to disabled, in the very next release.
Not everybody is a stupid as me ;-) and like any other GOOD software:
m0n0wall cannot be fool-proof.
Thank you again, you really made my day, I'm really glad and relieved
I got it all working now. That "Captive Portal" is one hell of a great
feature by the way.
Kind regards Frederick