[ previous ] [ next ] [ threads ]
 
 From:  "Jordan T." <jordan at blue dash ferret dot com dot au>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Routing a seperate subnet over WAN to LAN
 Date:  Sat, 19 Mar 2005 03:49:32 +0800
Well i have just come back from site which had the monowall in question,
its currently 3am and im not a happy person.

it seems that monowall cant and can't handle routing subnets through to
the LAN, because it relies on NAT (painfully) to much.

Problem #1: Interface based port forwarding by default.

Firstly id like to identify a design error in the way port forwarding is
done. When one adds a port forward, and selects "Interface Address"
under "External address" of firewall_nat_edit.php, the IP used is NOT
the interface address, its actually 0.0.0.0/0 (any ip) on the selected
interface. This can be a major pain the backside when you have multiple
WAN IP addresses and dont want them all to have the same port
forwarding. Now before you start telling me to use Server Nat, consider
this: what if i have 2 WAN IP addresses, i want 1 to NAT/port forward,
and the other is an entire subnet that must be _routed_ onto the LAN -
an extremely simple task for ANY router. A clear solution to this was to
add the WAN interfaces IP address into Server Nat and use that to
selectively forward ports based on IP address, but alas, it wont let you
add the IP of the WAN interface to the Server Nat page, instead these
two lines of code kick in:

if ($_POST['ipaddr'] == $config['interfaces']['wan']['ipaddr'])
  $input_errors[] = "The WAN IP address may not be used in a Server NAT
entry.";

This confused me, what is the point of disallowing the user to specify
an IP just because its the primary IP of an interface? especially when
as i explained above, the default forward rule exists for 0.0.0.0/0.
Luckily for us, this kind of "error checking" only happens through the
webgui interface, the workaround is to download the xml config, find the
<nat> section, and use <external-address>X.X.X.X</external-address>
inside each <rule> block.


Problem 2: Secondary IP/Subnet routing is nearly non-existent

The lack of ability to assign secondary IP's to interfaces through the
gui is probably the biggest downside to m0n0wall i can see to date. I
overcame this by using an ifconfig alias statement inside a <shellcmd>
block in the config, and added a route to bring my public IP block onto
the LAN, but ran into all sorts of troubles regarding NAT, even with
advanced outbound NAT on, i found m0n0wall was either dropping packets,
or changing the headers which resulted in TCP checksum errors.

To save people going over past posts, here is the desired setup:
WAN: X.X.164.225/32
LAN: 192.168.100.254
LAN: X.X.165.53/30 (secondary/aliased IP)

A webserver on the LAN is assigned X.X.165.54/30 and uses the default
gateway of X.X.165.53. The webserver also has an alias of 192.168.100.3
for the rest of the LAN subnet.

The reason for doing this, is to overcome a NAT problem which is
outlined here: http://www.m0n0.ch/wall/docbook/faq-lannat.html

Problem 3: Firewall has a mind of its own?
After setting up the above network, with workarounds for problem #1 and
#2, i thought i was in business. Everything worked from the WAN, i could
access X.X.165.225 and its port forwards were fine, X.X.165.54 was being
routed to the webserver aswell, but when i tried to access X.X.165.54
from the LAN (192.168.100.0/24), i found at first my packets weren't
reaching the destination, instead of being Routed OR NAT'd, they were
being dropped by the "default deny rule". Even after i had put an allow
rule for any source going to any destination over any protocol on _both_
the LAN & WAN, the packets were still being dropped. I used the "log
packets blocked by default rule" option to confirm they were not being
passed as per my allow rules (which were placed at the top of my rule
list, below port forwards).

I still cannot get this working from inside my LAN, if anyone has any
ideas they would be muchly appreciated.

Jordan.



On Fri, 2005-03-18 at 10:06, Jordan T. wrote:
> We had this setup on a cisco 2611 previously with the same interface
> configuration, so yes this is setup correctly by the ISP.
> 
> Jordan.
> 
> 
> On Fri, 2005-03-18 at 09:55, Chris Buechler wrote:
> > On Thu, 17 Mar 2005 16:50:06 +0800, Jordan T. <jordan at blue dash ferret dot com dot au> wrote:
> > > From exec.php, you could issue "/sbin/ifconfig <int> <address> netmask
> > > <netmask> alias" but im not sure that it would route the whole subnet as
> > > i want. You can even throw this in the config to come up at boot by
> > > using <shellcmd>/sbin/ifconfig bge0 X.X.X.X netmask 255.255.255.X
> > > alias</shellcmd> inside the <system> block. an example in my case would
> > > be "ifconfig vr0 X.X.165.53 netmask 255.255.255.252 alias", im hoping it
> > > will add a route for the rest of the subnet too, and enable routing of
> > > other IP's through to the LAN.
> > > 
> > 
> > 
> > You'd either have to use an additional interface or a VLAN.  You could
> > put in the ifconfig alias but that's not recommended and not
> > supported.  I'm not sure how or if outbound NAT would behave with
> > that.  You'll definitely need advanced outbound NAT if you're going to
> > try that.
> > 
> > Additionally, your ISP will need a route to that .165.53/30 net
> > pointing to your m0n0wall WAN IP.  My guess is that's not the way it's
> > setup, and they might not be willing to do so.  They're probably
> > expecting both networks to be on the WAN side, in which case you'd
> > need two firewalls.
> > 
> > Are they actually assigning you a /30 subnet, or those usable IP's
> > within a bigger subnet?  i.e. if you were putting a system directly on
> > the internet with one of those IP's, what would it use as a default
> > gateway?  Would you need a router on that subnet to use them?
> > 
> > -Chris
signature.asc (0.2 KB, application/pgp-signature)