[ previous ] [ next ] [ threads ]
 From:  =?iso-8859-1?Q?Eleazar_Mart=EDnez?= <eleazar dot martinez at technosoft dot com>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] NAT 1:1 problem
 Date:  Mon, 4 Apr 2005 14:02:57 -0500
Thank you all for your answers. 
I think I finally figured out what's happening but don't know if it can be
considered a bug... I think it isn't a bug but I'm not sure.

This is what is happening.

LAN network is
WAN network is
OPT1 network

Opt1 needs to talk to a VPN using the same gateway that WAN is using. The
VPN network is (same as LAN for m0n0wall). No matter what I
do m0n0wall routes all traffic to the LAN interface
regardless of any static route I try to setup to make any/all packets from
the OPT1 interface to be sent on WAN using its gateway. The logs in m0n0wall
always show all packets from OPT1 going to as sent using LAN
and, I guess, without the 1:1 or any other nat I try to setup.

I don't know if there's a way around it to really force all packets from
OPT1 to be sent using the WAN instead of the LAN. If there's anyway to do it
I'd like to know it even if its using a hack or something unsupported. If
there isn't I'll have to change all my LAN to use a different network... I
want to avoid that because all the LAN uses static addresses and updating
the printers addresses on all computers isn't going to be fun.


>-----Original Message-----
>From: Claude Morin [mailto:klodefactor at gmail dot com] 
>Sent: Monday, April 04, 2005 12:38 PM

>Cc: m0n0wall at lists dot m0n0 dot ch
>Subject: Re: [m0n0wall] NAT 1:1 problem
>Hi Eleazar,
>Brief, sloppy description of ARP. Given node A and node B on 
>the same LAN, 
>connected either to a switch (or hub) or directly via a cross-over 
>connector. When A needs to communicate with B, it's not enough to know 
>IPaddr(B); A must have B's MAC address in order to transmit a 
>packet to B. 
>So, A does an ARP broadcast, which asks "what's the MAC address for 
>IPaddr(B)?". The important part (for 1:1 NAT) is that the 
>first response 
>from *any* node is considered valid. BTW, note that this is 
>wide-open for 
>abuse; if someone can answer before you do, they're perfectly 
>situated for a 
>man-in-the-middle attack.
>Generally, a node will respond for itself. However, in certain 
>cases (such 
>as 1:1 NAT), B isn't actually on the sam LAN as A, so it won't 
>see the ARP 
>broadcast. Now, because any node can respond, we have the 
>m0n0wall act as a 
>proxy for B (so-called "proxy ARP"). So, when A does an ARP 
>broadcast, the 
>m0n0wall (if configured correctly) will respond with its own 
>MAC address. 
>This means that A will deliver the packet to the m0n0wall, 
>which will then 
>perform the appropriate NAT magic.
>To configure proxy ARP on the m0n0wall, select "Proxy ARP" under the 
>"Services" group. For a single address, just add an entry with the 
>*external* IP ( <>) for which 
>the m0n0wall 
>should respond.
>Hope this helps,

><eleazar dot martinez at technosoft dot com> 
>> >-----Original Message-----
>> >From: Claude Morin [mailto:klodefactor at gmail dot com ]
>> >Sent: Saturday, April 02, 2005 1:15 PM

>> >Cc: m0n0wall at lists dot m0n0 dot ch 
>> >Subject: Re: [m0n0wall] NAT 1:1 problem
>> >
>> >I don't see anything in your description about proxy ARP; have
>> >you enabled
>> >it? The firewall has to respond with its own MAC address when
>> >the next-hop
>> >WAN device tries to communicate with one of your NATed IPs.
>> I have not used proxy ARP and actually don't know what it 
>should be used
>> for. I'll investigate about it and see if that solves the problem.
>> Thanks!
>> >-klode
>> >

>> ><eleazar dot martinez at technosoft dot com >
>> >wrote:
>> >>
>> >>
>> >> I'm trying to setup my m0n0 box as follows:
>> >>
>> >> LAN: IP <> 
>< >
>> >> WAN: IP <> 
>< > 
>> GW
>> > <> < >
>> >> OP1: IP <> 
>< >
>> >>
>> >> I have a server in OP1 with the IP 
>> >< > . I
>> >> want the server to be
>> >> accessible (all ports/protocols) from the WAN side at the 
>public ip
>> >> address
>> >> <> < > 
>. I add a NAT 
>> 1:1 on WAN
>> >with external
>> >> <> < > 
>and internal
>> >> <> < > 
>. Rules for 
>> the firewall
>> >on WAN permit
>> >> traffic for destination
>> >> <> < > 
>and on the 
>> OP1 I allow
>> >all traffic. My
>> >> setup doesn't seem to
>> >> work...
>> >>
>> >> Without the addition of the OP1 interface everything works fine.
>> >>
>> >> On the WAN I have disabled the checkbox for "Block 
>private networks".
>> >>
>> >> Do you see any problems with the above setup?
>> >>
>> >> Some extra fun that might be causing problems: from the WAN
>> >side there
>> >> will
>> >> be coming packets from <> 
>> >< > (thanks to a
>> >> vpn router) directed to
>> >> <> < > 
>. Is this a 
>> problem
>> >because the packets
>> >> will 'look' like they
>> >> come from my LAN ( <> <
>> > )?
>> >Do I have to
>> >> tell it somehow to not route
>> >> those packets to the LAN but send them using NAT to OP1 (a
>> >static route
>> >> maybe)? And, lastly, am I just trying to do something that
>> >isn't possible
>> >> with the packages that m0n0 uses internally?
>> >>
>> >> By the way... I don't need any connection between LAN and
>> >OP1 at all so
>> >> it's
>> >> ok if they cannot see each other.
>> >>
>> >> Thanks in advance.
>> >>