|
||||||||||
-- follow up I will start over, just incase my first thread is a unclear. I had to put to old router/firewall back inline until I can figure this out. This weekend(Saturday) I change out the old router/firewall and installed an new router and m0n0wall. The new router is basically the same hardware and IOS, just stripped down. The router was setup to do nothing but route packets. No ACL's m0n0wall ver 1.11 is installed on a pc running from harddrive. m0n0wall was initially setup with three interfaces. I am not using the <opt1>DMZ network yet. Until I move the servers over to DMZ, they are currently on the LAN network. So our network currently looks like this: internet--router--monowall--LAN-- m0n0wall is using NAT 1:1 server mappings for webservers AND being used as a NAT/PAT gateway for internal employee's access the internet. Internet access from LAN cleint workstations is working fine. Inbound access to webservers has stopped. Inbound translations seemed to have stopped working properly. I do not have anything m0n0wall configurations for the following: - Static Mapping - Firewall:NAT Inbound - Firewall:NAT ServerNAT - Firewall:NAT Outbound - ProxyARP Only Nat 1:1 and Firewall Rules No other service like Traffic Shaper, Dynamic DNS, SNMP, Captive Portal are enabled. Everything was working Saturday night before I left. Everything being: I could gain access outbound and inbound traffic to webservers was also working. A copy of the config.xml is below >> Steps I took to trouble shoot this morning. From a laptop separate from the LAN, I made and ISP connection using a dialup account. Since there are no ACL's on the router, I can ping the router serial and ethernet ports. I cannot access the websites we host. Before enabling ICMP, when I ping the m0n0wall WAN interface, this gets logged to the firewall log. When I ping a NAT 1:1 server mapping, nothing get written to the firewall log. No access to servers. From a computer on the LAN, I can get internet connectivity (gmail, etc...) From a computer on the LAN, I cannot get to any of our websites ( this did work Saturday) From a router console session I can ping the router ethernet and serial ports. As a test I enabled a firewall rule ICMP for the m0n0wall WAN inteface and one(1) NAT 1:1 server mapping AA.43.155.34 ->>192.168.222.4 From the Laptop with the ISP connection, I can PING the m0n0wall WAN interface. From the Laptop with the ISP connection, I cannot PING the server mapping...request time out. AND nothing gets written to the firewall log. Additionall, I shutdown and restarted both the router and m0n0wall...no success. I have called our service provider to inquery about any DNS issues. None are reported. It appears to be a m0n0wall issue, since putting the old router/firewall back in-line, we have had no further issues. About the only strange thing I can see: Saturady night I could see all kinds of traffic being blocked directed at the NAT 1:1 server mapping, and relatively little being logged for the m0n0wall WAN public IP. Today, there is nothing being logged for the NAT server 1:1 mappings, and almost all the blocked traffic is for the m0n0wall WAN public IP. The only change I know of different from Saturday night, is the introduction of outbound/inbound traffic from employee's here Monday morning. This config does not show the ICMP rule. It is the config.xml saved from Saturday night. Here's a scrubbed copy of the config.xml <?xml version="1.0"?> <m0n0wall> <version>1.4</version> <system> <hostname>m0n0wall</hostname> <domain>pmg.local</domain> <username>admin</username> <password>xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx</password> <timezone>Etc/GMT-5</timezone> <time-update-interval>300</time-update-interval> <timeservers>129.6.15.28</timeservers> <webgui> <protocol>https</protocol> <port>443</port> <certificate/> <private-key/> </webgui> <disablefirmwarecheck/> <dnsserver>AA.255.85.10</dnsserver> <dnsserver>AA.255.85.11</dnsserver> </system> <interfaces> <lan> <if>rl1</if> <ipaddr>192.168.222.1</ipaddr> <subnet>24</subnet> </lan> <wan> <if>xl0</if> <mtu/> <blockpriv/> <ipaddr>AA.43.155.45</ipaddr> <subnet>28</subnet> <gateway>AA.43.155.33</gateway> <spoofmac/> </wan> <opt1> <if>rl0</if> <descr>DMZ</descr> <ipaddr>192.168.2.1</ipaddr> <subnet>24</subnet> <bridge/> <enable/> </opt1> </interfaces> <staticroutes/> <pppoe/> <pptp/> <bigpond/> <dyndns> <type>dyndns</type> <username/> <password/> <host/> <mx/> </dyndns> <dhcpd> <lan> <range> <from>192.168.1.100</from> <to>192.168.1.199</to> </range> </lan> </dhcpd> <pptpd> <mode/> <redir/> <localip/> <remoteip/> </pptpd> <dnsmasq> <enable/> </dnsmasq> <snmpd> <syslocation/> <syscontact/> <rocommunity>public</rocommunity> </snmpd> <diag> <ipv6nat> <ipaddr/> </ipv6nat> </diag> <bridge/> <syslog> <reverse/> <nentries>50</nentries> <remoteserver/> </syslog> <nat> <onetoone> <external>AA.43.155.34</external> <internal>192.168.222.4</internal> <subnet>32</subnet> <descr>P0030 Web Server</descr> <interface>wan</interface> </onetoone> <onetoone> <external>AA.43.155.36</external> <internal>192.168.222.6</internal> <subnet>32</subnet> <descr>P0030 Web Server</descr> <interface>wan</interface> </onetoone> <onetoone> <external>AA.43.155.38</external> <internal>192.168.222.8</internal> <subnet>32</subnet> <descr>edi.p-a-link.com</descr> <interface>wan</interface> </onetoone> <onetoone> <external>AA.43.155.39</external> <internal>192.168.222.9</internal> <subnet>32</subnet> <descr>edi.p-a-link.com</descr> <interface>wan</interface> </onetoone> <onetoone> <external>AA.43.155.46</external> <internal>192.168.222.18</internal> <subnet>32</subnet> <descr>Mail Server</descr> <interface>wan</interface> </onetoone> </nat> <filter> <rule> <type>pass</type> <interface>wan</interface> <protocol>tcp</protocol> <source> <any/> </source> <destination> <address>192.168.222.4</address> <port>80</port> </destination> <descr>P0030 Webserver</descr> </rule> <rule> <type>pass</type> <interface>wan</interface> <protocol>tcp</protocol> <source> <any/> </source> <destination> <address>192.168.222.4</address> <port>443</port> </destination> <descr>P0030 Webserver</descr> </rule> <rule> <type>pass</type> <interface>wan</interface> <protocol>tcp</protocol> <source> <any/> </source> <destination> <address>192.168.222.6</address> <port>80</port> </destination> <descr>P0030 Webserver</descr> </rule> <rule> <type>pass</type> <interface>wan</interface> <protocol>tcp</protocol> <source> <any/> </source> <destination> <address>192.168.222.6</address> <port>443</port> </destination> <descr>P0030 Webserver HTTPS</descr> </rule> <rule> <type>pass</type> <interface>wan</interface> <protocol>tcp</protocol> <source> <any/> </source> <destination> <address>192.168.222.8</address> <port>80</port> </destination> <descr>edi.p-a-link.com</descr> </rule> <rule> <type>pass</type> <interface>wan</interface> <protocol>tcp</protocol> <source> <any/> </source> <destination> <address>192.168.222.8</address> <port>443</port> </destination> <descr>edi.p-a-link.com HTTPS</descr> </rule> <rule> <type>pass</type> <interface>wan</interface> <protocol>tcp</protocol> <source> <any/> </source> <destination> <address>192.168.222.9</address> <port>80</port> </destination> <descr>edi2.p-a-link.com</descr> </rule> <rule> <type>pass</type> <interface>wan</interface> <protocol>tcp</protocol> <source> <any/> </source> <destination> <address>192.168.222.9</address> <port>443</port> </destination> <descr>edi2.p-a-link.com HTTPS</descr> </rule> <rule> <type>pass</type> <interface>wan</interface> <protocol>tcp</protocol> <source> <any/> </source> <destination> <address>192.168.222.18</address> <port>25</port> </destination> <descr>Mail Server</descr> </rule> <rule> <type>pass</type> <interface>wan</interface> <protocol>tcp</protocol> <source> <any/> </source> <destination> <address>192.168.222.18</address> <port>110</port> </destination> <descr>Mail Server</descr> </rule> <rule> <type>pass</type> <interface>wan</interface> <protocol>tcp</protocol> <source> <any/> </source> <destination> <address>192.168.222.18</address> <port>32000</port> </destination> <descr>Mail Server</descr> </rule> <rule> <type>pass</type> <descr>Default LAN -> any</descr> <interface>lan</interface> <source> <network>lan</network> </source> <destination> <any/> </destination> </rule> </filter> <shaper/> <ipsec/> <aliases/> <proxyarp> </proxyarp> <wol/> </m0n0wall> Thanks, - Don On Mon, 28 Mar 2005 10:54:07 -0500, Chris Buechler <cbuechler at gmail dot com> wrote: > On Mon, 28 Mar 2005 10:08:02 -0500, Don Munyak <don dot munyak at gmail dot com> wrote: > > All of a sudden we lost the ability for inbound traffic to webserver. > > m0n0wall 1.1 running on pc workstation > > webserver traffic setup using NAT 1:1 > > Rules allow only http/https > > > > This was running fine Saturday night. > > > > I setup as a test to ping the dedicated m0n0wall WAN IP with ICMP > > I can ping the WAN IP. > > > > I allowed ICMP for one of the webser IP > > ICMP times out > > > > For and IP I am using NAT 1:1 for a webserver, when I PING that > > interface, ICMP times out and monowall does not report a firewall rule > > log. > > > > From a console session into the border router, trying to PING a > > webserver IP that I am allowing in the rules, the consol ping times > > out. > > > > From a console session into the border router, trying to PING a > > webserver IP that I am NOT allowing in the rules, the consol ping > > times out AND m0nwall does not report a firewall rule in the log file > > > > It's like, now that there are employees in the building, NAT 1:1 > > stopped working. > > The m0n0wall doesn't appear to translating the additional IP's any more. > > There is also now a lot of traffic showing up in the log for the > > monowall WAN IP. > > > > If I understand correctly, you can't ping from m0n0wall to the DMZ > servers, and can't ping from the DMZ servers to the OPT interface. > Sounds like you've lost link between the switch with the servers and > m0n0wall. Check your cabling, NIC, and link lights. > > -Chris > |