[ previous ] [ next ] [ threads ]
 
 From:  Claude Morin <klodefactor at gmail dot com>
 To:  =?ISO-8859-1?Q?Eleazar_Mart=EDnez?= <eleazar dot martinez at technosoft dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] NAT 1:1 problem
 Date:  Mon, 4 Apr 2005 13:38:12 -0400 
Hi Eleazar,

Brief, sloppy description of ARP. Given node A and node B on the same LAN, 
connected either to a switch (or hub) or directly via a cross-over 
connector. When A needs to communicate with B, it's not enough to know 
IPaddr(B); A must have B's MAC address in order to transmit a packet to B. 
So, A does an ARP broadcast, which asks "what's the MAC address for 
IPaddr(B)?". The important part (for 1:1 NAT) is that the first response 
from *any* node is considered valid. BTW, note that this is wide-open for 
abuse; if someone can answer before you do, they're perfectly situated for a 
man-in-the-middle attack.

Generally, a node will respond for itself. However, in certain cases (such 
as 1:1 NAT), B isn't actually on the sam LAN as A, so it won't see the ARP 
broadcast. Now, because any node can respond, we have the m0n0wall act as a 
proxy for B (so-called "proxy ARP"). So, when A does an ARP broadcast, the 
m0n0wall (if configured correctly) will respond with its own MAC address. 
This means that A will deliver the packet to the m0n0wall, which will then 
perform the appropriate NAT magic.

To configure proxy ARP on the m0n0wall, select "Proxy ARP" under the 
"Services" group. For a single address, just add an entry with the 
*external* IP (192.168.1.10 <http://192.168.1.10>) for which the m0n0wall 
should respond.

Hope this helps,
-klode

On Apr 4, 2005 8:27 AM, Eleazar Martínez <eleazar dot martinez at technosoft dot com> 
wrote:
> 
> >-----Original Message-----
> >From: Claude Morin [mailto:klodefactor at gmail dot com ]
> >Sent: Saturday, April 02, 2005 1:15 PM
> >To: Eleazar Martínez
> >Cc: m0n0wall at lists dot m0n0 dot ch 
> >Subject: Re: [m0n0wall] NAT 1:1 problem
> >
> >I don't see anything in your description about proxy ARP; have
> >you enabled
> >it? The firewall has to respond with its own MAC address when
> >the next-hop
> >WAN device tries to communicate with one of your NATed IPs.
> 
> I have not used proxy ARP and actually don't know what it should be used
> for. I'll investigate about it and see if that solves the problem.
> 
> Thanks!
> 
> >-klode
> >
> >On Apr 1, 2005 1:11 PM, Eleazar Martínez
> ><eleazar dot martinez at technosoft dot com >
> >wrote:
> >>
> >>
> >> I'm trying to setup my m0n0 box as follows:
> >>
> >> LAN: IP 192.168.0.1/24 <http://192.168.0.1/24> <http://192.168.0.1/24 >
> >> WAN: IP 192.168.1.1/24 <http://192.168.1.1/24> <http://192.168.1.1/24 > 
> GW
> >192.168.1.2 <http://192.168.1.2> <http://192.168.1.2 >
> >> OP1: IP 192.168.2.1/24 <http://192.168.2.1/24> <http://192.168.2.1/24 >
> >>
> >> I have a server in OP1 with the IP 192.168.2.10 <http://192.168.2.10> 
> ><http://192.168.2.10 > . I
> >> want the server to be
> >> accessible (all ports/protocols) from the WAN side at the public ip
> >> address
> >> 192.168.1.10 <http://192.168.1.10> <http://192.168.1.10 > . I add a NAT 
> 1:1 on WAN
> >with external
> >> 192.168.1.10 <http://192.168.1.10> <http://192.168.1.10 > and internal
> >> 192.168.2.10 <http://192.168.2.10> <http://192.168.2.10 > . Rules for 
> the firewall
> >on WAN permit
> >> traffic for destination
> >> 192.168.2.10 <http://192.168.2.10> <http://192.168.2.10 > and on the 
> OP1 I allow
> >all traffic. My
> >> setup doesn't seem to
> >> work...
> >>
> >> Without the addition of the OP1 interface everything works fine.
> >>
> >> On the WAN I have disabled the checkbox for "Block private networks".
> >>
> >> Do you see any problems with the above setup?
> >>
> >> Some extra fun that might be causing problems: from the WAN
> >side there
> >> will
> >> be coming packets from 192.168.0.0/24 <http://192.168.0.0/24> 
> ><http://192.168.0.0/24 > (thanks to a
> >> vpn router) directed to
> >> 192.168.1.10 <http://192.168.1.10> <http://192.168.1.10 > . Is this a 
> problem
> >because the packets
> >> will 'look' like they
> >> come from my LAN (192.168.0.0/24 <http://192.168.0.0/24> <
> http://192.168.0.0/24 > )?
> >Do I have to
> >> tell it somehow to not route
> >> those packets to the LAN but send them using NAT to OP1 (a
> >static route
> >> maybe)? And, lastly, am I just trying to do something that
> >isn't possible
> >> with the packages that m0n0 uses internally?
> >>
> >> By the way... I don't need any connection between LAN and
> >OP1 at all so
> >> it's
> >> ok if they cannot see each other.
> >>
> >> Thanks in advance.
> >>
> >> -Eleazar Martínez
>