Two HTTP servers behind m0n0wall -- confused about how to set up m0n0wall

From:	Paul Furbacher <pfurbacher at mac dot com>
To:	m0n0wall at lists dot m0n0 dot ch
Subject:	Two HTTP servers behind m0n0wall -- confused about how to set up m0n0wall
Date:	Fri, 11 Mar 2005 12:57:08 -0500

First, I have to say that the WebGUI is beautiful, especially
if one contrasts it to say the interface which comes with a
PIX 501 router.

However, I can set up the latter pretty easily for our network
config, but cannot seem to get it right with m0n0wall.

I've searched the FAQ, noting that 13.14 seems to apply to
our situation, but it doesn't make sense to me -- it's a bit
too jargonish for my brain which usually needs concrete examples
when it comes to setting up Firewalls.  (I'm not a networking guy.)
I've also searched the list archives, but have not been able to craft
a search which yields any concrete answers.

Hopefully, the following is an adequate description of our
desired firewall/routing set up.  (Same as what we had with
the PIX, before it died.)

Our network (using just the HTTP ports to illustrate):

2 HTTP servers: one production, one test
IP addresses: xxx.yyy.zzz.10, xxx.yyy.zzz.20

Available WAN IP addresses: aaa.bbb.ccc.224 - 255
Gateway: aaa.bbb.ccc.129
Mask: 255.255.255.128

Goal:

WAN
m0n0wall/net4501 eth 1:  aaa.bbb.ccc.238

HTTP server 1 (production): aaa.bbb.ccc.239
HTTP server 2 (test): aaa.bbb.ccc.240

Routes/Rules:

aaa.bbb.ccc.239:80 -> xxx.yyy.zzz.10:80
aaa.bbb.ccc.240:80 -> xxx.yyy.zzz.20:80

I have tried the following

Hardware: net4501 w/ 3 eth connectors.
   eth2: WAN
   eth1: LAN

Software: net45xxx-1.11

0. m0n0wall static config:
   IP addr = aaa.bbb.ccc.238/25
   Gateway: aaa.bbb.ccc.129

1. Added aaa.bbb.ccc.239 and aaa.bbb.ccc.240 to the Server NAT page.

2. NAT: added the following and applied changes.

   WAN TCP ext: aaa.bbb.ccc.239 HTTP  int: xxx.yyy.zzz.10 HTTP
   WAN TCP ext: aaa.bbb.ccc.240 HTTP  int: xxx.yyy.zzz.20 HTTP

3. Rules: added and applied changes.

WAN
   TCP src: aaa.bbb.ccc.239 HTTP  dest: xxx.yyy.zzz.10 HTTP
   TCP src: aaa.bbb.ccc.240 HTTP  dest: xxx.yyy.zzz.20 HTTP

The above just doesn't work.  It seems to be equivalent to
what I would have done to set up the PIX, but obviously it's
not.  But if I port scan from a computer on a completely
different network (essentially outside the building)
I get nothing.  I'm completely at a loss as to how to
get m0n0wall to do what I bet is pretty simple.

Exactly what steps do I have to perform and in
what order?  Please don't use "optional interface"
(as in the FAQ) because nothing's optional to me.
Please make any solution devoid of jargon, such
as "optional interface" and the like.  Please
use concrete numbers based on those listed above.


Thanks.


Paul Furbacher