[ previous ] [ next ] [ threads ]
 
 From:  Don Munyak <don dot munyak at gmail dot com>
 To:  Chris Buechler <cbuechler at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Lost inbound traffic to webservers
 Date:  Mon, 28 Mar 2005 11:41:28 -0500
-- follow up

I will start over, just incase my first thread is a unclear.
I had to put to old router/firewall back inline until I can figure this out.

This weekend(Saturday) I change out the old router/firewall and
installed an new router and m0n0wall. The new router is basically the
same hardware and IOS, just stripped down.

The router was setup to do nothing but route packets. No ACL's
m0n0wall ver 1.11 is installed on a pc running from harddrive.
m0n0wall was initially setup with three interfaces.
I am not using the <opt1>DMZ network yet. Until I move the servers
over to DMZ, they are currently on the LAN network. So our network
currently looks like this:

internet--router--monowall--LAN--

m0n0wall is using NAT 1:1 server mappings for webservers AND being
used as a NAT/PAT gateway for internal employee's access the internet.
Internet access from LAN cleint workstations is working fine. Inbound
access to webservers has stopped. Inbound translations seemed to have
stopped working properly.

I do not have anything m0n0wall configurations for the following:
- Static Mapping
- Firewall:NAT Inbound
- Firewall:NAT ServerNAT
- Firewall:NAT Outbound
- ProxyARP

Only Nat 1:1 and Firewall Rules

No other service like Traffic Shaper, Dynamic DNS, SNMP, Captive
Portal are enabled.

Everything was working Saturday night before I left. Everything being:
I could gain access outbound and inbound traffic to webservers was
also working.

A copy of the config.xml is below

>> Steps I took to trouble shoot this morning.

From a laptop separate from the LAN, I made and ISP connection using a
dialup account. Since there are no ACL's on the router, I can ping the
router serial and ethernet ports. I cannot access the websites we
host.

Before enabling ICMP, when I ping the m0n0wall WAN interface, this
gets logged to the firewall log. When I ping a NAT 1:1 server mapping,
nothing get written to the firewall log. No access to servers.

From a computer on the LAN, I can get internet connectivity (gmail, etc...)
From a computer on the LAN, I cannot get to any of our websites ( this
did work Saturday)

From a router console session I can ping the router ethernet and serial ports.

As a test I enabled a firewall rule ICMP for the m0n0wall WAN inteface
and one(1) NAT 1:1 server mapping AA.43.155.34 ->>192.168.222.4

From the Laptop with the ISP connection, I can PING the m0n0wall WAN interface.
From the Laptop with the ISP connection, I cannot PING the server
mapping...request time out. AND nothing gets written to the firewall
log.

Additionall, I shutdown and restarted both the router and m0n0wall...no success.
I have called our service provider to inquery about any DNS issues.
None are reported. It appears to be a m0n0wall issue, since putting
the old router/firewall back in-line, we have had no further issues.

About the only strange thing I can see:

Saturady night I could see all kinds of traffic being blocked directed
at the NAT 1:1 server mapping, and relatively little being logged for
the m0n0wall WAN public IP.

Today, there is nothing being logged for the NAT server 1:1 mappings,
and almost all the blocked traffic is for the m0n0wall WAN public IP.

The only change I know of different from Saturday night, is the
introduction of outbound/inbound traffic from employee's here Monday
morning.

This config does not show the ICMP rule. It is the config.xml saved
from Saturday night.
Here's a scrubbed copy of the config.xml

<?xml version="1.0"?>
<m0n0wall>
	<version>1.4</version>
	<system>
		<hostname>m0n0wall</hostname>
		<domain>pmg.local</domain>
		<username>admin</username>
		<password>xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx</password>
		<timezone>Etc/GMT-5</timezone>
		<time-update-interval>300</time-update-interval>
		<timeservers>129.6.15.28</timeservers>
		<webgui>
			<protocol>https</protocol>
			<port>443</port>
			<certificate/>
			<private-key/>
		</webgui>
		<disablefirmwarecheck/>
		<dnsserver>AA.255.85.10</dnsserver>
		<dnsserver>AA.255.85.11</dnsserver>
	</system>
	<interfaces>
		<lan>
			<if>rl1</if>
			<ipaddr>192.168.222.1</ipaddr>
			<subnet>24</subnet>
		</lan>
		<wan>
			<if>xl0</if>
			<mtu/>
			<blockpriv/>
			<ipaddr>AA.43.155.45</ipaddr>
			<subnet>28</subnet>
			<gateway>AA.43.155.33</gateway>
			<spoofmac/>
		</wan>
		<opt1>
			<if>rl0</if>
			<descr>DMZ</descr>
			<ipaddr>192.168.2.1</ipaddr>
			<subnet>24</subnet>
			<bridge/>
			<enable/>
		</opt1>
	</interfaces>
	<staticroutes/>
	<pppoe/>
	<pptp/>
	<bigpond/>
	<dyndns>
		<type>dyndns</type>
		<username/>
		<password/>
		<host/>
		<mx/>
	</dyndns>
	<dhcpd>
		<lan>
			<range>
				<from>192.168.1.100</from>
				<to>192.168.1.199</to>
			</range>
		</lan>
	</dhcpd>
	<pptpd>
		<mode/>
		<redir/>
		<localip/>
		<remoteip/>
	</pptpd>
	<dnsmasq>
		<enable/>
	</dnsmasq>
	<snmpd>
		<syslocation/>
		<syscontact/>
		<rocommunity>public</rocommunity>
	</snmpd>
	<diag>
		<ipv6nat>
			<ipaddr/>
		</ipv6nat>
	</diag>
	<bridge/>
	<syslog>
		<reverse/>
		<nentries>50</nentries>
		<remoteserver/>
	</syslog>
	<nat>
		<onetoone>
			<external>AA.43.155.34</external>
			<internal>192.168.222.4</internal>
			<subnet>32</subnet>
			<descr>P0030 Web Server</descr>
			<interface>wan</interface>
		</onetoone>
		<onetoone>
			<external>AA.43.155.36</external>
			<internal>192.168.222.6</internal>
			<subnet>32</subnet>
			<descr>P0030 Web Server</descr>
			<interface>wan</interface>
		</onetoone>
		<onetoone>
			<external>AA.43.155.38</external>
			<internal>192.168.222.8</internal>
			<subnet>32</subnet>
			<descr>edi.p-a-link.com</descr>
			<interface>wan</interface>
		</onetoone>
		<onetoone>
			<external>AA.43.155.39</external>
			<internal>192.168.222.9</internal>
			<subnet>32</subnet>
			<descr>edi.p-a-link.com</descr>
			<interface>wan</interface>
		</onetoone>
		<onetoone>
			<external>AA.43.155.46</external>
			<internal>192.168.222.18</internal>
			<subnet>32</subnet>
			<descr>Mail Server</descr>
			<interface>wan</interface>
		</onetoone>
	</nat>
	<filter>
		<rule>
			<type>pass</type>
			<interface>wan</interface>
			<protocol>tcp</protocol>
			<source>
				<any/>
			</source>
			<destination>
				<address>192.168.222.4</address>
				<port>80</port>
			</destination>
			<descr>P0030 Webserver</descr>
		</rule>
		<rule>
			<type>pass</type>
			<interface>wan</interface>
			<protocol>tcp</protocol>
			<source>
				<any/>
			</source>
			<destination>
				<address>192.168.222.4</address>
				<port>443</port>
			</destination>
			<descr>P0030 Webserver</descr>
		</rule>
		<rule>
			<type>pass</type>
			<interface>wan</interface>
			<protocol>tcp</protocol>
			<source>
				<any/>
			</source>
			<destination>
				<address>192.168.222.6</address>
				<port>80</port>
			</destination>
			<descr>P0030 Webserver</descr>
		</rule>
		<rule>
			<type>pass</type>
			<interface>wan</interface>
			<protocol>tcp</protocol>
			<source>
				<any/>
			</source>
			<destination>
				<address>192.168.222.6</address>
				<port>443</port>
			</destination>
			<descr>P0030 Webserver HTTPS</descr>
		</rule>
		<rule>
			<type>pass</type>
			<interface>wan</interface>
			<protocol>tcp</protocol>
			<source>
				<any/>
			</source>
			<destination>
				<address>192.168.222.8</address>
				<port>80</port>
			</destination>
			<descr>edi.p-a-link.com</descr>
		</rule>
		<rule>
			<type>pass</type>
			<interface>wan</interface>
			<protocol>tcp</protocol>
			<source>
				<any/>
			</source>
			<destination>
				<address>192.168.222.8</address>
				<port>443</port>
			</destination>
			<descr>edi.p-a-link.com HTTPS</descr>
		</rule>
		<rule>
			<type>pass</type>
			<interface>wan</interface>
			<protocol>tcp</protocol>
			<source>
				<any/>
			</source>
			<destination>
				<address>192.168.222.9</address>
				<port>80</port>
			</destination>
			<descr>edi2.p-a-link.com</descr>
		</rule>
		<rule>
			<type>pass</type>
			<interface>wan</interface>
			<protocol>tcp</protocol>
			<source>
				<any/>
			</source>
			<destination>
				<address>192.168.222.9</address>
				<port>443</port>
			</destination>
			<descr>edi2.p-a-link.com HTTPS</descr>
		</rule>
		<rule>
			<type>pass</type>
			<interface>wan</interface>
			<protocol>tcp</protocol>
			<source>
				<any/>
			</source>
			<destination>
				<address>192.168.222.18</address>
				<port>25</port>
			</destination>
			<descr>Mail Server</descr>
		</rule>
		<rule>
			<type>pass</type>
			<interface>wan</interface>
			<protocol>tcp</protocol>
			<source>
				<any/>
			</source>
			<destination>
				<address>192.168.222.18</address>
				<port>110</port>
			</destination>
			<descr>Mail Server</descr>
		</rule>
		<rule>
			<type>pass</type>
			<interface>wan</interface>
			<protocol>tcp</protocol>
			<source>
				<any/>
			</source>
			<destination>
				<address>192.168.222.18</address>
				<port>32000</port>
			</destination>
			<descr>Mail Server</descr>
		</rule>
		<rule>
			<type>pass</type>
			<descr>Default LAN -&gt; any</descr>
			<interface>lan</interface>
			<source>
				<network>lan</network>
			</source>
			<destination>
				<any/>
			</destination>
		</rule>
	</filter>
	<shaper/>
	<ipsec/>
	<aliases/>
	<proxyarp>
	</proxyarp>
	<wol/>
</m0n0wall>



Thanks,
- Don




On Mon, 28 Mar 2005 10:54:07 -0500, Chris Buechler <cbuechler at gmail dot com> wrote:
> On Mon, 28 Mar 2005 10:08:02 -0500, Don Munyak <don dot munyak at gmail dot com> wrote:
> > All of a sudden we lost the ability for inbound traffic to webserver.
> > m0n0wall 1.1 running on pc workstation
> > webserver traffic setup using NAT 1:1
> > Rules allow only http/https
> >
> > This was running fine Saturday night.
> >
> > I setup as a test to ping the dedicated m0n0wall WAN IP with ICMP
> > I can ping the WAN IP.
> >
> > I allowed ICMP for one of the webser IP
> > ICMP times out
> >
> > For and IP I am using NAT 1:1 for a webserver, when I PING that
> > interface, ICMP times out and monowall does not report a firewall rule
> > log.
> >
> > From a console session into the border router, trying to PING a
> > webserver IP that I am allowing in the rules, the consol ping times
> > out.
> >
> > From a console session into the border router, trying to PING a
> > webserver IP that I am NOT allowing in the rules, the consol ping
> > times out AND m0nwall does not report a firewall rule in the log file
> >
> > It's like, now that there are employees in the building, NAT 1:1
> > stopped working.
> > The m0n0wall doesn't appear to translating the additional IP's any more.
> > There is also now a lot of traffic showing up in the log for the
> > monowall WAN IP.
> >
> 
> If I understand correctly, you can't ping from m0n0wall to the DMZ
> servers, and can't ping from the DMZ servers to the OPT interface.
> Sounds like you've lost link between the switch with the servers and
> m0n0wall.  Check your cabling, NIC, and link lights.
> 
> -Chris
>