[ previous ] [ next ] [ threads ]
 
 From:  sylikc <sylikc at gmail dot com>
 To:  Adam Lawson <alawson at calhost dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Newbie Config Question - Initial M0n0wall Config - Need Assist ASAP
 Date:  Wed, 16 Mar 2005 18:32:32 -0800
Adam,

On Wed, 16 Mar 2005 08:42:20 -0800, Adam Lawson <alawson at calhost dot com> wrote:
> Question:
> My network is in a colocation data center. They assigned me 3 IPs on the
> 65.74.157.x subnet (2 for my firewall interfaces and 1 for my ext router
> interface).
> 
> The setup looks like this:
> 
> ((WWW))
> ^
> LAYER3 DATA CENTER SWITCH
> ^
> M0n0wall (installed on standard PC with 2 NICs using CD-ROM/floppy setup for
> now)
> ^
> _Cisco 3660 router (VLANs configured for each customer on the 65.74.150 and
> 65.74.151 subnets)
> ^
> _Layer2 switch
> ^
> _Client machines with static IPs (each on their own VLAN - 5 usable Ips on
> the 65.74.150.x and 65.74.151.x subnets)

Now this looks like an awfully complicated setup for a newbie firewall
setup.  Anyhow, you have 3 IPs on the 65.74.157.x subnet, but which
one is assigned where on the network?  What IP will you be assigning
the m0n0wall?

Now, you have some 65.74.150 & 151 subnets... they're not private so
are you trying to configure m0n0wall just as a filtered bridge?  Or
will you actually use it to route.  Are there any private IPs in use? 
If so, you have to turn off the block private addresses option in
m0n0wall.


> Now, the Quick Start documentation says:
> "5.3. Static IP addresses
> If you want to use a static IP address on your client machines, be sure to
> configure them in the same subnet as your m0n0wall LAN interface, using the
> appropriate DNS servers and the m0n0wall LAN IP address as the default
> gateway."
> 
> Now obviously, that scenario is not possible. My client machines need their
> own static IP. The network is fine as is (without the firewall in place).

The "static IP" in the context of the documentation is referring to a
static IP within a private address space of the LAN interface on the
m0n0wall.  To me, it sounds like you are looking to disable all
routing features of m0n0wall and just use it purely as a filtered
bridge.  If so, this doesn't apply to you because you have your own
Cisco 3660 router dealing with talking to anything and everything
outside of the client VLANs (including the m0n0wall).


> MY PROBLEM:
> 
> Now, last night I tried to install the firewall and when I plugged the LAN
> interface into a hub and a test machine into the same hub with the same
> subnet, I can reach the webGUI from the client which makes sense. If I try
> to access the m0n0wall (or the internet for that matter) from a machine
> behind the router, requests time out.

I suspect a private address somewhere in there.  If not, then the WAN
may be misconfigured.


> Is there a special configuration required so my client traffic can pass
> through the router, through the firewall and to the Internet? Maybe the
> better question would be, HOW would I do that? I thought I was doing it
> correctly. The firewall doesn't seem to want to pass anything through.
> 
> The router alone works fine. In conjunction with the firewall it doesn't.
> 
> Lastly, if I can't get this working on the testbed, I will be happy to pay
> someone to assist since I need this working (barebones at the least) by this
> afternoon so I can block TCP traffic in/out on ports 135-140.
> 
> I'm sort of new to configuring firewalls, so a QA session here would be
> best, then a crash course when I have more time.

I think it would be helpful to repost with a little more info.  The
diagram is somewhat confusing to depict where things are and what IPs
things have.


/sylikc