|
||||||||
As a follow-up. The problem was solved by Chris. I needed to turn on ProxyARP Thanks Chris - Don On Mon, 28 Mar 2005 11:41:28 -0500, Don Munyak <don dot munyak at gmail dot com> wrote: > -- follow up > > I will start over, just incase my first thread is a unclear. > I had to put to old router/firewall back inline until I can figure this out. > > This weekend(Saturday) I change out the old router/firewall and > installed an new router and m0n0wall. The new router is basically the > same hardware and IOS, just stripped down. > > The router was setup to do nothing but route packets. No ACL's > m0n0wall ver 1.11 is installed on a pc running from harddrive. > m0n0wall was initially setup with three interfaces. > I am not using the <opt1>DMZ network yet. Until I move the servers > over to DMZ, they are currently on the LAN network. So our network > currently looks like this: > > internet--router--monowall--LAN-- > > m0n0wall is using NAT 1:1 server mappings for webservers AND being > used as a NAT/PAT gateway for internal employee's access the internet. > Internet access from LAN cleint workstations is working fine. Inbound > access to webservers has stopped. Inbound translations seemed to have > stopped working properly. > > I do not have anything m0n0wall configurations for the following: > - Static Mapping > - Firewall:NAT Inbound > - Firewall:NAT ServerNAT > - Firewall:NAT Outbound > - ProxyARP > > Only Nat 1:1 and Firewall Rules > > No other service like Traffic Shaper, Dynamic DNS, SNMP, Captive > Portal are enabled. > > Everything was working Saturday night before I left. Everything being: > I could gain access outbound and inbound traffic to webservers was > also working. > > A copy of the config.xml is below > > >> Steps I took to trouble shoot this morning. > > From a laptop separate from the LAN, I made and ISP connection using a > dialup account. Since there are no ACL's on the router, I can ping the > router serial and ethernet ports. I cannot access the websites we > host. > > Before enabling ICMP, when I ping the m0n0wall WAN interface, this > gets logged to the firewall log. When I ping a NAT 1:1 server mapping, > nothing get written to the firewall log. No access to servers. > > From a computer on the LAN, I can get internet connectivity (gmail, etc...) > From a computer on the LAN, I cannot get to any of our websites ( this > did work Saturday) > > From a router console session I can ping the router ethernet and serial ports. > > As a test I enabled a firewall rule ICMP for the m0n0wall WAN inteface > and one(1) NAT 1:1 server mapping AA.43.155.34 ->>192.168.222.4 > > From the Laptop with the ISP connection, I can PING the m0n0wall WAN interface. > From the Laptop with the ISP connection, I cannot PING the server > mapping...request time out. AND nothing gets written to the firewall > log. > > Additionall, I shutdown and restarted both the router and m0n0wall...no success. > I have called our service provider to inquery about any DNS issues. > None are reported. It appears to be a m0n0wall issue, since putting > the old router/firewall back in-line, we have had no further issues. > > About the only strange thing I can see: > > Saturady night I could see all kinds of traffic being blocked directed > at the NAT 1:1 server mapping, and relatively little being logged for > the m0n0wall WAN public IP. > > Today, there is nothing being logged for the NAT server 1:1 mappings, > and almost all the blocked traffic is for the m0n0wall WAN public IP. > > The only change I know of different from Saturday night, is the > introduction of outbound/inbound traffic from employee's here Monday > morning. > > This config does not show the ICMP rule. It is the config.xml saved > from Saturday night. > Here's a scrubbed copy of the config.xml > > <?xml version="1.0"?> > <m0n0wall> > <version>1.4</version> > <system> > <hostname>m0n0wall</hostname> > <domain>pmg.local</domain> > <username>admin</username> > <password>xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx</password> > <timezone>Etc/GMT-5</timezone> > <time-update-interval>300</time-update-interval> > <timeservers>129.6.15.28</timeservers> > <webgui> > <protocol>https</protocol> > <port>443</port> > <certificate/> > <private-key/> > </webgui> > <disablefirmwarecheck/> > <dnsserver>AA.255.85.10</dnsserver> > <dnsserver>AA.255.85.11</dnsserver> > </system> > <interfaces> > <lan> > <if>rl1</if> > <ipaddr>192.168.222.1</ipaddr> > <subnet>24</subnet> > </lan> > <wan> > <if>xl0</if> > <mtu/> > <blockpriv/> > <ipaddr>AA.43.155.45</ipaddr> > <subnet>28</subnet> > <gateway>AA.43.155.33</gateway> > <spoofmac/> > </wan> > <opt1> > <if>rl0</if> > <descr>DMZ</descr> > <ipaddr>192.168.2.1</ipaddr> > <subnet>24</subnet> > <bridge/> > <enable/> > </opt1> > </interfaces> > <staticroutes/> > <pppoe/> > <pptp/> > <bigpond/> > <dyndns> > <type>dyndns</type> > <username/> > <password/> > <host/> > <mx/> > </dyndns> > <dhcpd> > <lan> > <range> > <from>192.168.1.100</from> > <to>192.168.1.199</to> > </range> > </lan> > </dhcpd> > <pptpd> > <mode/> > <redir/> > <localip/> > <remoteip/> > </pptpd> > <dnsmasq> > <enable/> > </dnsmasq> > <snmpd> > <syslocation/> > <syscontact/> > <rocommunity>public</rocommunity> > </snmpd> > <diag> > <ipv6nat> > <ipaddr/> > </ipv6nat> > </diag> > <bridge/> > <syslog> > <reverse/> > <nentries>50</nentries> > <remoteserver/> > </syslog> > <nat> > <onetoone> > <external>AA.43.155.34</external> > <internal>192.168.222.4</internal> > <subnet>32</subnet> > <descr>P0030 Web Server</descr> > <interface>wan</interface> > </onetoone> > <onetoone> > <external>AA.43.155.36</external> > <internal>192.168.222.6</internal> > <subnet>32</subnet> > <descr>P0030 Web Server</descr> > <interface>wan</interface> > </onetoone> > <onetoone> > <external>AA.43.155.38</external> > <internal>192.168.222.8</internal> > <subnet>32</subnet> > <descr>edi.p-a-link.com</descr> > <interface>wan</interface> > </onetoone> > <onetoone> > <external>AA.43.155.39</external> > <internal>192.168.222.9</internal> > <subnet>32</subnet> > <descr>edi.p-a-link.com</descr> > <interface>wan</interface> > </onetoone> > <onetoone> > <external>AA.43.155.46</external> > <internal>192.168.222.18</internal> > <subnet>32</subnet> > <descr>Mail Server</descr> > <interface>wan</interface> > </onetoone> > </nat> > <filter> > <rule> > <type>pass</type> > <interface>wan</interface> > <protocol>tcp</protocol> > <source> > <any/> > </source> > <destination> > <address>192.168.222.4</address> > <port>80</port> > </destination> > <descr>P0030 Webserver</descr> > </rule> > <rule> > <type>pass</type> > <interface>wan</interface> > <protocol>tcp</protocol> > <source> > <any/> > </source> > <destination> > <address>192.168.222.4</address> > <port>443</port> > </destination> > <descr>P0030 Webserver</descr> > </rule> > <rule> > <type>pass</type> > <interface>wan</interface> > <protocol>tcp</protocol> > <source> > <any/> > </source> > <destination> > <address>192.168.222.6</address> > <port>80</port> > </destination> > <descr>P0030 Webserver</descr> > </rule> > <rule> > <type>pass</type> > <interface>wan</interface> > <protocol>tcp</protocol> > <source> > <any/> > </source> > <destination> > <address>192.168.222.6</address> > <port>443</port> > </destination> > <descr>P0030 Webserver HTTPS</descr> > </rule> > <rule> > <type>pass</type> > <interface>wan</interface> > <protocol>tcp</protocol> > <source> > <any/> > </source> > <destination> > <address>192.168.222.8</address> > <port>80</port> > </destination> > <descr>edi.p-a-link.com</descr> > </rule> > <rule> > <type>pass</type> > <interface>wan</interface> > <protocol>tcp</protocol> > <source> > <any/> > </source> > <destination> > <address>192.168.222.8</address> > <port>443</port> > </destination> > <descr>edi.p-a-link.com HTTPS</descr> > </rule> > <rule> > <type>pass</type> > <interface>wan</interface> > <protocol>tcp</protocol> > <source> > <any/> > </source> > <destination> > <address>192.168.222.9</address> > <port>80</port> > </destination> > <descr>edi2.p-a-link.com</descr> > </rule> > <rule> > <type>pass</type> > <interface>wan</interface> > <protocol>tcp</protocol> > <source> > <any/> > </source> > <destination> > <address>192.168.222.9</address> > <port>443</port> > </destination> > <descr>edi2.p-a-link.com HTTPS</descr> > </rule> > <rule> > <type>pass</type> > <interface>wan</interface> > <protocol>tcp</protocol> > <source> > <any/> > </source> > <destination> > <address>192.168.222.18</address> > <port>25</port> > </destination> > <descr>Mail Server</descr> > </rule> > <rule> > <type>pass</type> > <interface>wan</interface> > <protocol>tcp</protocol> > <source> > <any/> > </source> > <destination> > <address>192.168.222.18</address> > <port>110</port> > </destination> > <descr>Mail Server</descr> > </rule> > <rule> > <type>pass</type> > <interface>wan</interface> > <protocol>tcp</protocol> > <source> > <any/> > </source> > <destination> > <address>192.168.222.18</address> > <port>32000</port> > </destination> > <descr>Mail Server</descr> > </rule> > <rule> > <type>pass</type> > <descr>Default LAN -> any</descr> > <interface>lan</interface> > <source> > <network>lan</network> > </source> > <destination> > <any/> > </destination> > </rule> > </filter> > <shaper/> > <ipsec/> > <aliases/> > <proxyarp> > </proxyarp> > <wol/> > </m0n0wall> > > Thanks, > - Don > > > On Mon, 28 Mar 2005 10:54:07 -0500, Chris Buechler <cbuechler at gmail dot com> wrote: > > On Mon, 28 Mar 2005 10:08:02 -0500, Don Munyak <don dot munyak at gmail dot com> wrote: > > > All of a sudden we lost the ability for inbound traffic to webserver. > > > m0n0wall 1.1 running on pc workstation > > > webserver traffic setup using NAT 1:1 > > > Rules allow only http/https > > > > > > This was running fine Saturday night. > > > > > > I setup as a test to ping the dedicated m0n0wall WAN IP with ICMP > > > I can ping the WAN IP. > > > > > > I allowed ICMP for one of the webser IP > > > ICMP times out > > > > > > For and IP I am using NAT 1:1 for a webserver, when I PING that > > > interface, ICMP times out and monowall does not report a firewall rule > > > log. > > > > > > From a console session into the border router, trying to PING a > > > webserver IP that I am allowing in the rules, the consol ping times > > > out. > > > > > > From a console session into the border router, trying to PING a > > > webserver IP that I am NOT allowing in the rules, the consol ping > > > times out AND m0nwall does not report a firewall rule in the log file > > > > > > It's like, now that there are employees in the building, NAT 1:1 > > > stopped working. > > > The m0n0wall doesn't appear to translating the additional IP's any more. > > > There is also now a lot of traffic showing up in the log for the > > > monowall WAN IP. > > > > > > > If I understand correctly, you can't ping from m0n0wall to the DMZ > > servers, and can't ping from the DMZ servers to the OPT interface. > > Sounds like you've lost link between the switch with the servers and > > m0n0wall. Check your cabling, NIC, and link lights. > > > > -Chris > > > |