[ previous ] [ next ] [ threads ]
 
 From:  Don Munyak <don dot munyak at gmail dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Lost inbound traffic to webservers
 Date:  Mon, 28 Mar 2005 23:16:18 -0500
As a follow-up.

The problem was solved by Chris.
I needed to turn on ProxyARP

Thanks Chris

- Don


On Mon, 28 Mar 2005 11:41:28 -0500, Don Munyak <don dot munyak at gmail dot com> wrote:
> -- follow up
> 
> I will start over, just incase my first thread is a unclear.
> I had to put to old router/firewall back inline until I can figure this out.
> 
> This weekend(Saturday) I change out the old router/firewall and
> installed an new router and m0n0wall. The new router is basically the
> same hardware and IOS, just stripped down.
> 
> The router was setup to do nothing but route packets. No ACL's
> m0n0wall ver 1.11 is installed on a pc running from harddrive.
> m0n0wall was initially setup with three interfaces.
> I am not using the <opt1>DMZ network yet. Until I move the servers
> over to DMZ, they are currently on the LAN network. So our network
> currently looks like this:
> 
> internet--router--monowall--LAN--
> 
> m0n0wall is using NAT 1:1 server mappings for webservers AND being
> used as a NAT/PAT gateway for internal employee's access the internet.
> Internet access from LAN cleint workstations is working fine. Inbound
> access to webservers has stopped. Inbound translations seemed to have
> stopped working properly.
> 
> I do not have anything m0n0wall configurations for the following:
> - Static Mapping
> - Firewall:NAT Inbound
> - Firewall:NAT ServerNAT
> - Firewall:NAT Outbound
> - ProxyARP
> 
> Only Nat 1:1 and Firewall Rules
> 
> No other service like Traffic Shaper, Dynamic DNS, SNMP, Captive
> Portal are enabled.
> 
> Everything was working Saturday night before I left. Everything being:
> I could gain access outbound and inbound traffic to webservers was
> also working.
> 
> A copy of the config.xml is below
> 
> >> Steps I took to trouble shoot this morning.
> 
> From a laptop separate from the LAN, I made and ISP connection using a
> dialup account. Since there are no ACL's on the router, I can ping the
> router serial and ethernet ports. I cannot access the websites we
> host.
> 
> Before enabling ICMP, when I ping the m0n0wall WAN interface, this
> gets logged to the firewall log. When I ping a NAT 1:1 server mapping,
> nothing get written to the firewall log. No access to servers.
> 
> From a computer on the LAN, I can get internet connectivity (gmail, etc...)
> From a computer on the LAN, I cannot get to any of our websites ( this
> did work Saturday)
> 
> From a router console session I can ping the router ethernet and serial ports.
> 
> As a test I enabled a firewall rule ICMP for the m0n0wall WAN inteface
> and one(1) NAT 1:1 server mapping AA.43.155.34 ->>192.168.222.4
> 
> From the Laptop with the ISP connection, I can PING the m0n0wall WAN interface.
> From the Laptop with the ISP connection, I cannot PING the server
> mapping...request time out. AND nothing gets written to the firewall
> log.
> 
> Additionall, I shutdown and restarted both the router and m0n0wall...no success.
> I have called our service provider to inquery about any DNS issues.
> None are reported. It appears to be a m0n0wall issue, since putting
> the old router/firewall back in-line, we have had no further issues.
> 
> About the only strange thing I can see:
> 
> Saturady night I could see all kinds of traffic being blocked directed
> at the NAT 1:1 server mapping, and relatively little being logged for
> the m0n0wall WAN public IP.
> 
> Today, there is nothing being logged for the NAT server 1:1 mappings,
> and almost all the blocked traffic is for the m0n0wall WAN public IP.
> 
> The only change I know of different from Saturday night, is the
> introduction of outbound/inbound traffic from employee's here Monday
> morning.
> 
> This config does not show the ICMP rule. It is the config.xml saved
> from Saturday night.
> Here's a scrubbed copy of the config.xml
> 
> <?xml version="1.0"?>
> <m0n0wall>
>         <version>1.4</version>
>         <system>
>                 <hostname>m0n0wall</hostname>
>                 <domain>pmg.local</domain>
>                 <username>admin</username>
>                 <password>xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx</password>
>                 <timezone>Etc/GMT-5</timezone>
>                 <time-update-interval>300</time-update-interval>
>                 <timeservers>129.6.15.28</timeservers>
>                 <webgui>
>                         <protocol>https</protocol>
>                         <port>443</port>
>                         <certificate/>
>                         <private-key/>
>                 </webgui>
>                 <disablefirmwarecheck/>
>                 <dnsserver>AA.255.85.10</dnsserver>
>                 <dnsserver>AA.255.85.11</dnsserver>
>         </system>
>         <interfaces>
>                 <lan>
>                         <if>rl1</if>
>                         <ipaddr>192.168.222.1</ipaddr>
>                         <subnet>24</subnet>
>                 </lan>
>                 <wan>
>                         <if>xl0</if>
>                         <mtu/>
>                         <blockpriv/>
>                         <ipaddr>AA.43.155.45</ipaddr>
>                         <subnet>28</subnet>
>                         <gateway>AA.43.155.33</gateway>
>                         <spoofmac/>
>                 </wan>
>                 <opt1>
>                         <if>rl0</if>
>                         <descr>DMZ</descr>
>                         <ipaddr>192.168.2.1</ipaddr>
>                         <subnet>24</subnet>
>                         <bridge/>
>                         <enable/>
>                 </opt1>
>         </interfaces>
>         <staticroutes/>
>         <pppoe/>
>         <pptp/>
>         <bigpond/>
>         <dyndns>
>                 <type>dyndns</type>
>                 <username/>
>                 <password/>
>                 <host/>
>                 <mx/>
>         </dyndns>
>         <dhcpd>
>                 <lan>
>                         <range>
>                                 <from>192.168.1.100</from>
>                                 <to>192.168.1.199</to>
>                         </range>
>                 </lan>
>         </dhcpd>
>         <pptpd>
>                 <mode/>
>                 <redir/>
>                 <localip/>
>                 <remoteip/>
>         </pptpd>
>         <dnsmasq>
>                 <enable/>
>         </dnsmasq>
>         <snmpd>
>                 <syslocation/>
>                 <syscontact/>
>                 <rocommunity>public</rocommunity>
>         </snmpd>
>         <diag>
>                 <ipv6nat>
>                         <ipaddr/>
>                 </ipv6nat>
>         </diag>
>         <bridge/>
>         <syslog>
>                 <reverse/>
>                 <nentries>50</nentries>
>                 <remoteserver/>
>         </syslog>
>         <nat>
>                 <onetoone>
>                         <external>AA.43.155.34</external>
>                         <internal>192.168.222.4</internal>
>                         <subnet>32</subnet>
>                         <descr>P0030 Web Server</descr>
>                         <interface>wan</interface>
>                 </onetoone>
>                 <onetoone>
>                         <external>AA.43.155.36</external>
>                         <internal>192.168.222.6</internal>
>                         <subnet>32</subnet>
>                         <descr>P0030 Web Server</descr>
>                         <interface>wan</interface>
>                 </onetoone>
>                 <onetoone>
>                         <external>AA.43.155.38</external>
>                         <internal>192.168.222.8</internal>
>                         <subnet>32</subnet>
>                         <descr>edi.p-a-link.com</descr>
>                         <interface>wan</interface>
>                 </onetoone>
>                 <onetoone>
>                         <external>AA.43.155.39</external>
>                         <internal>192.168.222.9</internal>
>                         <subnet>32</subnet>
>                         <descr>edi.p-a-link.com</descr>
>                         <interface>wan</interface>
>                 </onetoone>
>                 <onetoone>
>                         <external>AA.43.155.46</external>
>                         <internal>192.168.222.18</internal>
>                         <subnet>32</subnet>
>                         <descr>Mail Server</descr>
>                         <interface>wan</interface>
>                 </onetoone>
>         </nat>
>         <filter>
>                 <rule>
>                         <type>pass</type>
>                         <interface>wan</interface>
>                         <protocol>tcp</protocol>
>                         <source>
>                                 <any/>
>                         </source>
>                         <destination>
>                                 <address>192.168.222.4</address>
>                                 <port>80</port>
>                         </destination>
>                         <descr>P0030 Webserver</descr>
>                 </rule>
>                 <rule>
>                         <type>pass</type>
>                         <interface>wan</interface>
>                         <protocol>tcp</protocol>
>                         <source>
>                                 <any/>
>                         </source>
>                         <destination>
>                                 <address>192.168.222.4</address>
>                                 <port>443</port>
>                         </destination>
>                         <descr>P0030 Webserver</descr>
>                 </rule>
>                 <rule>
>                         <type>pass</type>
>                         <interface>wan</interface>
>                         <protocol>tcp</protocol>
>                         <source>
>                                 <any/>
>                         </source>
>                         <destination>
>                                 <address>192.168.222.6</address>
>                                 <port>80</port>
>                         </destination>
>                         <descr>P0030 Webserver</descr>
>                 </rule>
>                 <rule>
>                         <type>pass</type>
>                         <interface>wan</interface>
>                         <protocol>tcp</protocol>
>                         <source>
>                                 <any/>
>                         </source>
>                         <destination>
>                                 <address>192.168.222.6</address>
>                                 <port>443</port>
>                         </destination>
>                         <descr>P0030 Webserver HTTPS</descr>
>                 </rule>
>                 <rule>
>                         <type>pass</type>
>                         <interface>wan</interface>
>                         <protocol>tcp</protocol>
>                         <source>
>                                 <any/>
>                         </source>
>                         <destination>
>                                 <address>192.168.222.8</address>
>                                 <port>80</port>
>                         </destination>
>                         <descr>edi.p-a-link.com</descr>
>                 </rule>
>                 <rule>
>                         <type>pass</type>
>                         <interface>wan</interface>
>                         <protocol>tcp</protocol>
>                         <source>
>                                 <any/>
>                         </source>
>                         <destination>
>                                 <address>192.168.222.8</address>
>                                 <port>443</port>
>                         </destination>
>                         <descr>edi.p-a-link.com HTTPS</descr>
>                 </rule>
>                 <rule>
>                         <type>pass</type>
>                         <interface>wan</interface>
>                         <protocol>tcp</protocol>
>                         <source>
>                                 <any/>
>                         </source>
>                         <destination>
>                                 <address>192.168.222.9</address>
>                                 <port>80</port>
>                         </destination>
>                         <descr>edi2.p-a-link.com</descr>
>                 </rule>
>                 <rule>
>                         <type>pass</type>
>                         <interface>wan</interface>
>                         <protocol>tcp</protocol>
>                         <source>
>                                 <any/>
>                         </source>
>                         <destination>
>                                 <address>192.168.222.9</address>
>                                 <port>443</port>
>                         </destination>
>                         <descr>edi2.p-a-link.com HTTPS</descr>
>                 </rule>
>                 <rule>
>                         <type>pass</type>
>                         <interface>wan</interface>
>                         <protocol>tcp</protocol>
>                         <source>
>                                 <any/>
>                         </source>
>                         <destination>
>                                 <address>192.168.222.18</address>
>                                 <port>25</port>
>                         </destination>
>                         <descr>Mail Server</descr>
>                 </rule>
>                 <rule>
>                         <type>pass</type>
>                         <interface>wan</interface>
>                         <protocol>tcp</protocol>
>                         <source>
>                                 <any/>
>                         </source>
>                         <destination>
>                                 <address>192.168.222.18</address>
>                                 <port>110</port>
>                         </destination>
>                         <descr>Mail Server</descr>
>                 </rule>
>                 <rule>
>                         <type>pass</type>
>                         <interface>wan</interface>
>                         <protocol>tcp</protocol>
>                         <source>
>                                 <any/>
>                         </source>
>                         <destination>
>                                 <address>192.168.222.18</address>
>                                 <port>32000</port>
>                         </destination>
>                         <descr>Mail Server</descr>
>                 </rule>
>                 <rule>
>                         <type>pass</type>
>                         <descr>Default LAN -&gt; any</descr>
>                         <interface>lan</interface>
>                         <source>
>                                 <network>lan</network>
>                         </source>
>                         <destination>
>                                 <any/>
>                         </destination>
>                 </rule>
>         </filter>
>         <shaper/>
>         <ipsec/>
>         <aliases/>
>         <proxyarp>
>         </proxyarp>
>         <wol/>
> </m0n0wall>
> 
> Thanks,
> - Don
> 
> 
> On Mon, 28 Mar 2005 10:54:07 -0500, Chris Buechler <cbuechler at gmail dot com> wrote:
> > On Mon, 28 Mar 2005 10:08:02 -0500, Don Munyak <don dot munyak at gmail dot com> wrote:
> > > All of a sudden we lost the ability for inbound traffic to webserver.
> > > m0n0wall 1.1 running on pc workstation
> > > webserver traffic setup using NAT 1:1
> > > Rules allow only http/https
> > >
> > > This was running fine Saturday night.
> > >
> > > I setup as a test to ping the dedicated m0n0wall WAN IP with ICMP
> > > I can ping the WAN IP.
> > >
> > > I allowed ICMP for one of the webser IP
> > > ICMP times out
> > >
> > > For and IP I am using NAT 1:1 for a webserver, when I PING that
> > > interface, ICMP times out and monowall does not report a firewall rule
> > > log.
> > >
> > > From a console session into the border router, trying to PING a
> > > webserver IP that I am allowing in the rules, the consol ping times
> > > out.
> > >
> > > From a console session into the border router, trying to PING a
> > > webserver IP that I am NOT allowing in the rules, the consol ping
> > > times out AND m0nwall does not report a firewall rule in the log file
> > >
> > > It's like, now that there are employees in the building, NAT 1:1
> > > stopped working.
> > > The m0n0wall doesn't appear to translating the additional IP's any more.
> > > There is also now a lot of traffic showing up in the log for the
> > > monowall WAN IP.
> > >
> >
> > If I understand correctly, you can't ping from m0n0wall to the DMZ
> > servers, and can't ping from the DMZ servers to the OPT interface.
> > Sounds like you've lost link between the switch with the servers and
> > m0n0wall.  Check your cabling, NIC, and link lights.
> >
> > -Chris
> >
>