Static Routes? Outbound NAT? What am I doing wrong?

From:	"Kurt Hadeler" <khadeler at wppl dot lib dot ny dot us>
To:	<m0n0wall at lists dot m0n0 dot ch>
Subject:	Static Routes? Outbound NAT? What am I doing wrong?
Date:	Wed, 29 Jun 2005 16:11:59 -0400
Hi,

I have used m0n0wall 1.2b8 as a home router/firewall for some months
now and it rocks - thanks to all who have put the time and effort into
this great package!

Now I'm trying to use m0n0wall (v. 1.2b9) in a slightly more complex
network environment and I'm having some trouble.  Here's what I have:

WAN: Connected directly to a public network and assigned a static IP
address, 216.150.xxx.xxx/25.  DNS servers are on the LAN side, not WAN. 


LAN: Connected to my primary private network and assigned a static IP
address, 10.1.1.27/24.  My DNS servers are on the LAN side serving out
private addresses needed to access various servers, etc, which must be
available network-wide.  The private LAN has a separate router and
firewall.

OPT1: A wireless network that I want to remain largely discrete.  OPT1
is configured with 192.168.1.x/24 addresses.  m0n0wall is acting as a
DHCP server for clients on the OPT1 interface and DNS forwarding is
enabled.

WAN 216.150.xxx.xxx/25
|
|
|
m0n0wall - - - - - - private LAN = 10.1.1.27/24 - - - - - private DNS &
other servers 10.1.1.xxx/24
|
|
|
OPT1 (wireless network)
192.168.1.1/24

I have a two static routes configured:
INT      DEST                     GATEWAY
LAN     10.1.1.0/24          10.1.1.1        (default gateway for the
private network)
LAN     192.168.1.0/25    192.168.1.1  (static IP of OPT1 interface)

Traffic to the private LAN interface must appear as a 10.1.x IP so I do
not want all outbound traffic NATed to the WAN interface.  I have
enabled Advanced Outbound NAT and setup two rules: 
INT       SOURCE               DEST                    TARGET
WAN     192.168.1.0/24   10.1.1.0/24         10.1.1.27 (private LAN IP
address)
WAN     192.168.1.0/25   ! 10.1.1.0/25       216.150.xxx.xxx (public
WAN IP address)

No Proxy ARP rules are in place.

I suspect the static routes and outbound NAT entries are wrong.  I can
ping hosts on any interface from the m0n0wall console, no problem.  I
can also connect to WAN servers from OPT1 clients, which is great. 
However, I can not connect to LAN servers from OPT1 clients, which is
crucial.  This is what I need help with - looking at the "ipnat -lv"
output on the status.php page, I can see that MAP/Redirect filters look
like they should be working, BUT all the active sessions from the OPT1
interface have NAT mappings from 216.150.xxx.xxx, even when they should
be going to the LAN.  How can I change this so that traffic from OPT1 to
LAN has a 10.1.1.x IP and is directed to the correct interface?

I have spent about a day reading the m0n0wall documentation and list
archives and trying various combinations but I can't get past this. I'm
stumped.  Can anyone give me any suggestions?  

Thanks in advance,
Kurt