[ previous ] [ next ] [ threads ]
 
 From:  "Roland Giesler" <roland at giesler dot za dot net>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  NAT via the WAN address doesn't work?
 Date:  Wed, 26 Oct 2005 14:27:28 +0200
I have strange problem in M0n0wall which probably has to do with the my lack
of understanding of iptables and firewalls, but...

If I NAT traffic from WAN to LAN on port 443, the attempted traffic is not
even registered in the logs.  No block or accept entry.  Nothing, nada,
zilch.  However, if I use a secondary IP on the WAN, it all works 100%!
(I'm refering to adding another IP  under "Server NAT")

The description on this page is as follows:
<quote>
Note:
The external IP addresses defined on this page may be used in inbound NAT
mappings. Depending on the way your WAN connection is setup, you may also
need proxy ARP.
</quote>

However, when I attempt to add the WAN ip to the SERVER NAT list, M0n0wall
informs me that:
<quote>
The following input errors were detected:

    * The WAN IP address may not be used in a Server NAT entry.
</quote>

Does this mean that I cannot NAT from the WAN addres? (My terminology may be
unusual, but I don't know how to else to put it)

If I set up a NAT rule from the external IP I've added under "Server NAT" it
works 100%, but if I switch back to the default IP on the WAN port, it
doesn't??

Here's some data for the config that works.  Below that is the config that
doesn't work.

regards

Roland Giesler
Stellenbosch


----------------------------
CONFIG THAT WORKS
----------------------------

Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            196.35.140.57      UGSc        3   660192    rl0
127.0.0.1          127.0.0.1          UH          0      516    lo0
x.x.x              link#1             UC         11        0   fxp0
x.x.x.2            00:03:47:11:12:2d  UHLW        0    91275   fxp0   1185
x.x.x.3            00:b0:d0:d0:e2:0b  UHLW        0    12159   fxp0   1144
x.x.x.27           00:0b:6a:92:75:4b  UHLW        0       93   fxp0    732
x.x.x.28           00:c0:9f:82:c8:5d  UHLW        0      156   fxp0   1197
x.x.x.29           00:c0:9f:0d:56:90  UHLW        0      158   fxp0   1065
x.x.x.71           00:b0:d0:b9:f7:54  UHLW        0     6120   fxp0   1179
x.x.x.76           00:04:61:66:37:d0  UHLW        4   243826   fxp0   1177
x.x.x.78           00:11:09:73:01:6e  UHLW        0    92788   fxp0   1176
x.x.x.79           00:0e:7b:0b:cf:5f  UHLW        1      718   fxp0   1176
x.x.x.80           00:11:09:73:00:1a  UHLW        0    19145   fxp0   1026
x.x.x.84           00:01:02:0f:47:bb  UHLW        0    42525   fxp0    836
196.35.140.56/29   link#2             UC          1        0    rl0
196.35.140.57      00:14:a8:ab:5a:68  UHLW        4        0    rl0    600

ipnat -lv

List of active MAP/Redirect filters:
map rl0 x.x.x.0/24 -> 0.0.0.0/32 proxy port ftp ftp/tcp
map rl0 x.x.x.0/24 -> 0.0.0.0/32 portmap tcp/udp auto
map rl0 x.x.x.0/24 -> 0.0.0.0/32
rdr rl0 196.35.140.62/32 port 443 -> x.x.x.2 port 443 tcp
rdr rl0 196.35.140.62/32 port 2401 -> x.x.x.76 port 2401 tcp
rdr rl0 196.35.140.62/32 port 8080 -> x.x.x.76 port 8080 tcp
rdr rl0 0.0.0.0/0 port 3000 -> x.x.x.2 port 3000 tcp

unparsed ipnat rules

map rl0 x.x.x.0/24  -> 0/32 proxy port ftp ftp/tcp
map rl0 x.x.x.0/24  -> 0/32 portmap tcp/udp auto
map rl0 x.x.x.0/24  -> 0/32
rdr rl0 196.35.140.62/32 port 2401 -> x.x.x.76 port 2401 tcp
rdr rl0 196.35.140.62/32 port 8080 -> x.x.x.76 port 8080 tcp
rdr rl0 196.35.140.62/32 port 443 -> x.x.x.2 port 443 tcp
rdr rl0 0/0 port 3000 -> x.x.x.2 port 3000 tcp

unparsed ipfilter rules

# loopback
pass in quick on lo0 all
pass out quick on lo0 all

# block short packets
block in log quick all with short

# block IP options
block in log quick all with ipopts

# allow access to DHCP server on LAN
pass in quick on fxp0 proto udp from any port = 68 to 255.255.255.255 port =
67
pass in quick on fxp0 proto udp from any port = 68 to x.x.x.1 port = 67
pass out quick on fxp0 proto udp from x.x.x.1 port = 67 to any port = 68

# WAN spoof check
block in log quick on rl0 from x.x.x.0/24 to any

# allow our DHCP client out to the WAN
# XXX - should be more restrictive
# (not possible at the moment - need 'me' like in ipfw)
pass out quick on rl0 proto udp from any port = 68 to any port = 67
block in log quick on rl0 proto udp from any port = 67 to x.x.x.0/24 port =
68
pass in quick on rl0 proto udp from any port = 67 to any port = 68

# LAN/OPT spoof check (needs to be after DHCP because of broadcast
addresses)
block in log quick on fxp0 from ! x.x.x.0/24 to any

# block anything from private networks on WAN interface
block in log quick on rl0 from 10.0.0.0/8 to any
block in log quick on rl0 from 127.0.0.0/8 to any
block in log quick on rl0 from 172.16.0.0/12 to any
block in log quick on rl0 from x.x.0.0/16 to any

# Block TCP packets that do not mark the start of a connection
skip 1 in proto tcp all flags S/SAFR
block in log quick proto tcp all

#---------------------------------------------------------------------------
# group head 100 - LAN interface
#---------------------------------------------------------------------------
block in log quick on fxp0 all head 100

# let out anything from the firewall host itself and decrypted IPsec traffic
pass out quick on fxp0 all keep state

#---------------------------------------------------------------------------
# group head 200 - WAN interface
#---------------------------------------------------------------------------
block in log quick on rl0 all head 200

# let out anything from the firewall host itself and decrypted IPsec traffic
pass out quick on rl0 all keep state

# make sure the user cannot lock himself out of the webGUI
pass in quick from x.x.x.0/24 to x.x.x.1 keep state group 100

# User-defined rules follow
pass in log first quick proto tcp from any to x.x.x.2 port = 443 keep state
group 200 
pass in log first quick proto tcp from any to x.x.x.76 port = 8080 keep
state group 200 
pass in log first quick proto tcp from 196.36.251.73 to x.x.x.2 port = 3000
keep state group 200 
pass in log first quick proto tcp from any to x.x.x.76 port = 2401 keep
state group 200 
pass in quick from x.x.x.0/24 to any keep state group 100 
	
#---------------------------------------------------------------------------
# default rules (just to be sure)
#---------------------------------------------------------------------------
block in log quick all
block out log quick all

----------------------------
CONFIG THAT DOESN'T WORK
----------------------------

Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            196.35.140.57      UGSc        4   663374    rl0
127.0.0.1          127.0.0.1          UH          0      516    lo0
192.168.100        link#1             UC         11        0   fxp0
192.168.100.2      00:03:47:11:12:2d  UHLW        0    92101   fxp0    886
192.168.100.3      00:b0:d0:d0:e2:0b  UHLW        0    12179   fxp0   1040
192.168.100.27     00:0b:6a:92:75:4b  UHLW        0     1485   fxp0    927
192.168.100.28     00:c0:9f:82:c8:5d  UHLW        0      156   fxp0   1040
192.168.100.29     00:c0:9f:0d:56:90  UHLW        0      158   fxp0   1135
192.168.100.71     00:b0:d0:b9:f7:54  UHLW        0     6120   fxp0    789
192.168.100.76     00:04:61:66:37:d0  UHLW        6   245041   fxp0    853
192.168.100.78     00:11:09:73:01:6e  UHLW        0    92854   fxp0   1112
192.168.100.79     00:0e:7b:0b:cf:5f  UHLW        0      889   fxp0   1110
192.168.100.80     00:11:09:73:00:1a  UHLW        0    19212   fxp0   1140
192.168.100.84     00:01:02:0f:47:bb  UHLW        0    42806   fxp0   1095
196.35.140.56/29   link#2             UC          1        0    rl0
196.35.140.57      00:14:a8:ab:5a:68  UHLW        4        0    rl0    889

ipnat -lv

List of active MAP/Redirect filters:
map rl0 192.168.100.0/24 -> 0.0.0.0/32 proxy port ftp ftp/tcp
map rl0 192.168.100.0/24 -> 0.0.0.0/32 portmap tcp/udp auto
map rl0 192.168.100.0/24 -> 0.0.0.0/32
rdr rl0 196.35.140.62/32 port 2401 -> 192.168.100.76 port 2401 tcp
rdr rl0 196.35.140.62/32 port 8080 -> 192.168.100.76 port 8080 tcp
rdr rl0 0.0.0.0/0 port 443 -> 192.168.100.2 port 443 tcp
rdr rl0 0.0.0.0/0 port 3000 -> 192.168.100.2 port 3000 tcp

unparsed ipnat rules

map rl0 192.168.100.0/24  -> 0/32 proxy port ftp ftp/tcp
map rl0 192.168.100.0/24  -> 0/32 portmap tcp/udp auto
map rl0 192.168.100.0/24  -> 0/32
rdr rl0 0/0 port 443 -> 192.168.100.2 port 443 tcp
rdr rl0 196.35.140.62/32 port 2401 -> 192.168.100.76 port 2401 tcp
rdr rl0 196.35.140.62/32 port 8080 -> 192.168.100.76 port 8080 tcp
rdr rl0 0/0 port 3000 -> 192.168.100.2 port 3000 tcp

unparsed ipfilter rules

# loopback
pass in quick on lo0 all
pass out quick on lo0 all

# block short packets
block in log quick all with short

# block IP options
block in log quick all with ipopts

# allow access to DHCP server on LAN
pass in quick on fxp0 proto udp from any port = 68 to 255.255.255.255 port =
67
pass in quick on fxp0 proto udp from any port = 68 to 192.168.100.1 port =
67
pass out quick on fxp0 proto udp from 192.168.100.1 port = 67 to any port =
68

# WAN spoof check
block in log quick on rl0 from 192.168.100.0/24 to any

# allow our DHCP client out to the WAN
# XXX - should be more restrictive
# (not possible at the moment - need 'me' like in ipfw)
pass out quick on rl0 proto udp from any port = 68 to any port = 67
block in log quick on rl0 proto udp from any port = 67 to 192.168.100.0/24
port = 68
pass in quick on rl0 proto udp from any port = 67 to any port = 68

# LAN/OPT spoof check (needs to be after DHCP because of broadcast
addresses)
block in log quick on fxp0 from ! 192.168.100.0/24 to any

# block anything from private networks on WAN interface
block in log quick on rl0 from 10.0.0.0/8 to any
block in log quick on rl0 from 127.0.0.0/8 to any
block in log quick on rl0 from 172.16.0.0/12 to any
block in log quick on rl0 from 192.168.0.0/16 to any

# Block TCP packets that do not mark the start of a connection
skip 1 in proto tcp all flags S/SAFR
block in log quick proto tcp all

#---------------------------------------------------------------------------
# group head 100 - LAN interface
#---------------------------------------------------------------------------
block in log quick on fxp0 all head 100

# let out anything from the firewall host itself and decrypted IPsec traffic
pass out quick on fxp0 all keep state

#---------------------------------------------------------------------------
# group head 200 - WAN interface
#---------------------------------------------------------------------------
block in log quick on rl0 all head 200

# let out anything from the firewall host itself and decrypted IPsec traffic
pass out quick on rl0 all keep state

# make sure the user cannot lock himself out of the webGUI
pass in quick from 192.168.100.0/24 to 192.168.100.1 keep state group 100

# User-defined rules follow
pass in log first quick proto tcp from any to 192.168.100.2 port = 443 keep
state group 200 
pass in log first quick proto tcp from any to 192.168.100.76 port = 8080
keep state group 200 
pass in log first quick proto tcp from 196.36.251.73 to 192.168.100.2 port =
3000 keep state group 200 
pass in log first quick proto tcp from any to 192.168.100.76 port = 2401
keep state group 200 
pass in quick from 192.168.100.0/24 to any keep state group 100 
	
#---------------------------------------------------------------------------
# default rules (just to be sure)
#---------------------------------------------------------------------------
block in log quick all
block out log quick all

-------------------------------
END OF CONFIG THAT DOESN'T WORK
-------------------------------