|
||||||||
Hi, Below you'll find the configfile. Note that the 3'rd NIC has been added 3 days ago. That is, the 3 NIC's does not have any influence on the problem. regards Søren Vanggaard Jensen <?xml version="1.0"?> <m0n0wall> <version>1.6</version> <lastchange>1132440572</lastchange> <system> <hostname>m0n0wallveb</hostname> <domain>veb.local</domain> <username>qqq</username> <password>zzz/</password> <timezone>Europe/Copenhagen</timezone> <time-update-interval>300</time-update-interval> <timeservers>193.162.159.194 193.162.145.130</timeservers> <webgui> <protocol>http</protocol> <port/> <certificate/> <private-key/> <expanddiags/> </webgui> <dnsserver>194.239.134.83</dnsserver> <dnsserver>193.162.153.164</dnsserver> </system> <interfaces> <lan> <if>bge0</if> <ipaddr>192.168.0.1</ipaddr> <subnet>24</subnet> <media/> <mediaopt/> </lan> <wan> <if>bge1</if> <mtu>1500</mtu> <media/> <mediaopt/> <spoofmac/> <ipaddr>xxx.yyy.57.2</ipaddr> <subnet>28</subnet> <gateway>xxx.yyy.57.1</gateway> </wan> <opt1> <if>sk0</if> <descr>OPT1 DMZ</descr> <ipaddr/> <subnet>31</subnet> <bridge>wan</bridge> <enable/> </opt1> </interfaces> <staticroutes> <route> <interface>lan</interface> <network>xxx.yyy.57.6/32</network> <gateway>192.168.0.10</gateway> <descr>ASMASTER </descr> </route> <route> <interface>lan</interface> <network>xxx.yyy.57.7/32</network> <gateway>192.168.0.10</gateway> <descr> ASCOMET</descr> </route> <route> <interface>lan</interface> <network>xxx.yyy.57.8/32</network> <gateway>192.168.0.10</gateway> <descr>ASTEROID</descr> </route> <route> <interface>lan</interface> <network>xxx.yyy.57.9/32</network> <gateway>192.168.0.10</gateway> <descr>xxx</descr> </route> <route> <interface>lan</interface> <network>xxx.yyy.57.5/32</network> <gateway>192.168.0.50</gateway> <descr>static to xxx</descr> </route> </staticroutes> <pppoe/> <pptp/> <bigpond/> <dyndns> <type>dyndns</type> <username/> <password/> <host/> <mx/> </dyndns> <dnsupdate/> <dhcpd> <lan> <enable/> <range> <from>192.168.0.101</from> <to>192.168.0.250</to> </range> <defaultleasetime/> <maxleasetime/> <staticmap> <mac>00:12:d9:6f:e4:93</mac> <ipaddr>192.168.0.10</ipaddr> <descr>internal firewall</descr> </staticmap> <staticmap> <mac>00:01:e6:59:7a:ba</mac> <ipaddr>192.168.0.15</ipaddr> <descr>Shared laser printer</descr> </staticmap> <staticmap> <mac>00:0c:41:9d:61:e2</mac> <ipaddr>192.168.0.40</ipaddr> <descr>int firewall WAN</descr> </staticmap> <staticmap> <mac>00:0c:6e:b8:e6:d6</mac> <ipaddr>192.168.0.50</ipaddr> <descr> CVS</descr> </staticmap> <staticmap> <mac>00:0d:88:63:04:db</mac> <ipaddr>192.168.0.100</ipaddr> <descr>Asterisk PBX</descr> </staticmap> <staticmap> <mac>00:40:F4:D2:2A:BB</mac> <ipaddr>192.168.0.254</ipaddr> <descr>Gigabit Switch (fælles, statisk ip, ingen DHCP)</descr> </staticmap> </lan> </dhcpd> <pptpd> <mode>off</mode> <redir/> <localip>xxx.yyy.57.2</localip> <remoteip>192.168.1.0</remoteip> <radius> <server/> <secret/> </radius> </pptpd> <dnsmasq> <hosts> <host>apps</host> <domain>abc.dk</domain> <ip>xxx.yyy.57.8</ip> <descr> apps server</descr> </hosts> <hosts> <host>asxerox6100</host> <domain>abc.dk</domain> <ip>192.168.0.10</ip> <descr>Xerox printer in our domain</descr> </hosts> <hosts> <host>demo</host> <domain>abc.dk</domain> <ip>xxx.yyy.57.8</ip> <descr>demo</descr> </hosts> <hosts> <host>ftp</host> <domain>app-solutions.com</domain> <ip>xxx.yyy.57.7</ip> <descr>ftp to ascomet</descr> </hosts> <hosts> <host>server1</host> <domain>uvdata.dk</domain> <ip>192.168.0.240</ip> <descr>server</descr> </hosts> <enable/> </dnsmasq> <snmpd> <syslocation>site</syslocation> <syscontact>svanggaard at hotmail dot com</syscontact> <rocommunity>public</rocommunity> <enable/> </snmpd> <diag> <ipv6nat> <ipaddr/> </ipv6nat> </diag> <bridge> <filteringbridge/> </bridge> <syslog> <nentries>300</nentries> <remoteserver/> </syslog> <nat> <advancedoutbound> <rule> <source> <network>192.168.0.0/24</network> </source> <descr>default public ip for clients connected to monowall LAN if</descr> <target/> <interface>wan</interface> <destination> <any/> </destination> </rule> <rule> <source> <network>192.168.0.50/32</network> </source> <descr>Intrapeople public ip</descr> <target>xxx.yyy.57.5</target> <interface>wan</interface> <destination> <any/> </destination> </rule> <enable/> </advancedoutbound> <onetoone> <external>xxx.yyy.57.4</external> <internal>192.168.0.100</internal> <subnet>32</subnet> <descr>1:1 to asterisk</descr> <interface>wan</interface> </onetoone> </nat> <filter> <rule> <type>pass</type> <interface>wan</interface> <source> <any/> </source> <destination> <network>opt1</network> </destination> <log/> <frags/> <descr>allow traffic to xxx.yyy.57.4</descr> </rule> <rule> <type>pass</type> <interface>wan</interface> <protocol>tcp/udp</protocol> <source> <any/> </source> <destination> <address>192.168.0.100</address> <port>5060</port> </destination> <descr>NAT tcp/udp port 5060 to 192.168.0.100(asterisk)</descr> </rule> <rule> <type>pass</type> <interface>wan</interface> <protocol>udp</protocol> <source> <any/> </source> <destination> <address>192.168.0.100</address> <port>10000-20000</port> </destination> <descr>NAT inbound RTP til Asterisk</descr> </rule> <rule> <interface>wan</interface> <protocol>tcp/udp</protocol> <source> <any/> </source> <destination> <address>192.168.0.100</address> <port>8000</port> </destination> <descr>NAT RTP to asterisk</descr> </rule> <rule> <type>pass</type> <interface>wan</interface> <protocol>icmp</protocol> <source> <any/> </source> <destination> <network>wanip</network> </destination> <descr>allow ping to firewall</descr> </rule> <rule> <type>pass</type> <interface>wan</interface> <protocol>tcp</protocol> <source> <any/> </source> <destination> <network>wanip</network> <port>80</port> </destination> <descr>management from WAN</descr> </rule> <rule> <type>pass</type> <interface>wan</interface> <protocol>tcp</protocol> <source> <any/> </source> <destination> <address>192.168.0.100</address> <port>80</port> </destination> <descr>HTTP to asterisk</descr> </rule> <rule> <type>pass</type> <interface>wan</interface> <protocol>tcp</protocol> <source> <any/> </source> <destination> <address>192.168.0.100</address> <port>22</port> </destination> <descr>SSH to asterisk</descr> </rule> <rule> <type>pass</type> <interface>wan</interface> <protocol>icmp</protocol> <source> <any/> </source> <destination> <address>192.168.0.100</address> </destination> <descr>allow ping to asterisk</descr> </rule> <rule> <type>pass</type> <interface>wan</interface> <source> <address>212.88.77.218</address> </source> <destination> <any/> </destination> <log/> <frags/> <descr>allow kpc vpn in</descr> </rule> <rule> <type>pass</type> <interface>wan</interface> <source> <any/> </source> <destination> <address>212.88.77.218</address> </destination> <log/> <frags/> <descr>allow out to zz</descr> </rule> <rule> <type>block</type> <interface>wan</interface> <protocol>tcp/udp</protocol> <source> <any/> </source> <destination> <any/> <port>6881-6889</port> </destination> <descr>block bittorrent</descr> </rule> <rule> <type>block</type> <interface>wan</interface> <protocol>tcp/udp</protocol> <source> <any/> </source> <destination> <any/> <port>445</port> </destination> <descr>block ms file sharing</descr> </rule> <rule> <type>block</type> <interface>wan</interface> <protocol>tcp/udp</protocol> <source> <any/> </source> <destination> <any/> <port>135-139</port> </destination> <descr>block ms netBios, rpc, etc</descr> </rule> <rule> <type>pass</type> <interface>wan</interface> <source> <any/> </source> <destination> <address>192.168.0.10</address> </destination> <log/> <frags/> <descr>allow anything to yyy</descr> </rule> <rule> <type>pass</type> <interface>wan</interface> <protocol>tcp</protocol> <source> <any/> </source> <destination> <address>xxx.yyy.57.6</address> </destination> <descr>appSolutions fw -> ASMASTER</descr> </rule> <rule> <type>pass</type> <interface>wan</interface> <source> <any/> </source> <destination> <address>xxx.yyy.57.7</address> </destination> <descr>appSolutions fw -> ASCOMET</descr> </rule> <rule> <type>pass</type> <interface>wan</interface> <source> <any/> </source> <destination> <address>xxx.yyy.57.8</address> </destination> <descr>appSolutions fw -> ASTEROID</descr> </rule> <rule> <type>pass</type> <interface>wan</interface> <protocol>tcp</protocol> <source> <any/> </source> <destination> <address>xxx.yyy.57.9</address> </destination> <descr>internal fw -> host</descr> </rule> <rule> <type>pass</type> <interface>wan</interface> <protocol>esp</protocol> <source> <any/> </source> <destination> <any/> </destination> <log/> <frags/> <descr>allow esp to lan</descr> </rule> <rule> <type>pass</type> <interface>wan</interface> <protocol>ah</protocol> <source> <any/> </source> <destination> <any/> </destination> <log/> <frags/> <descr>allow AH to lan</descr> </rule> <rule> <type>pass</type> <interface>wan</interface> <protocol>gre</protocol> <source> <any/> </source> <destination> <any/> </destination> <log/> <frags/> <descr>allow GRE to lan</descr> </rule> <rule> <type>reject</type> <interface>wan</interface> <protocol>udp</protocol> <source> <any/> </source> <destination> <any/> </destination> <log/> <descr>tell senders that the nw is unavailable</descr> </rule> <rule> <type>reject</type> <interface>wan</interface> <protocol>tcp</protocol> <source> <any/> </source> <destination> <any/> </destination> <log/> <descr>tell senders that the nw is unavailable</descr> </rule> <rule> <type>block</type> <interface>wan</interface> <source> <any/> </source> <destination> <any/> </destination> <log/> <descr>block all</descr> </rule> <rule> <type>pass</type> <interface>opt1</interface> <source> <any/> </source> <destination> <any/> </destination> <log/> <frags/> <descr>outbound from DMZ</descr> </rule> <rule> <type>pass</type> <interface>lan</interface> <source> <any/> </source> <destination> <network>opt1</network> </destination> <frags/> <descr>Allow LAN to DMZ</descr> </rule> <rule> <type>pass</type> <interface>lan</interface> <source> <network>opt1</network> </source> <destination> <network>lan</network> </destination> <frags/> <descr>Allow LAN to DMZ</descr> </rule> <rule> <type>block</type> <interface>lan</interface> <protocol>tcp/udp</protocol> <source> <any/> </source> <destination> <any/> <port>130-140</port> </destination> <descr>Disallow Outbound netbios</descr> </rule> <rule> <type>block</type> <interface>lan</interface> <protocol>tcp/udp</protocol> <source> <any/> </source> <destination> <any/> <port>6969</port> </destination> <descr>Disallow Outbound Bittorrent Setup</descr> </rule> <rule> <type>block</type> <interface>lan</interface> <protocol>tcp/udp</protocol> <source> <any/> </source> <destination> <any/> <port>6667</port> </destination> <log/> <descr>Disallow Outbound IRC</descr> </rule> <rule> <type>block</type> <interface>lan</interface> <protocol>tcp/udp</protocol> <source> <any/> </source> <destination> <any/> <port>445</port> </destination> <descr>Disallow Outbound MS file sharing</descr> </rule> <rule> <type>pass</type> <interface>lan</interface> <source> <any/> </source> <destination> <address>212.88.77.218</address> </destination> <log/> <frags/> <descr>Explicitely allow traffic towards rrr</descr> </rule> <rule> <type>pass</type> <interface>lan</interface> <source> <address>192.168.0.100</address> </source> <destination> <any/> </destination> <descr>allow asterisk out</descr> </rule> <rule> <type>pass</type> <interface>lan</interface> <source> <address>xxx.yyy.57.6</address> </source> <destination> <any/> </destination> <descr>allow outgoing asmaster</descr> </rule> <rule> <type>pass</type> <interface>lan</interface> <source> <address>xxx.yyy.57.7</address> </source> <destination> <any/> </destination> <descr>allow outgoing ascomet</descr> </rule> <rule> <type>pass</type> <interface>lan</interface> <source> <address>xxx.yyy.57.8</address> </source> <destination> <any/> </destination> <descr>allow outgoing asteroid</descr> </rule> <rule> <type>pass</type> <interface>lan</interface> <source> <address>xxx.yyy.57.9</address> </source> <destination> <any/> </destination> <descr>allow outgoing tt</descr> </rule> <rule> <type>pass</type> <interface>lan</interface> <source> <address>192.168.0.10</address> </source> <destination> <any/> </destination> <descr>allow outgoing asmono</descr> </rule> <rule> <type>pass</type> <interface>lan</interface> <source> <address>192.168.0.20</address> </source> <destination> <any/> </destination> <descr>allow outgoing qq</descr> </rule> <rule> <type>pass</type> <interface>lan</interface> <source> <address>192.168.0.30</address> </source> <destination> <any/> </destination> <descr>allow outgoing nn</descr> </rule> <rule> <type>pass</type> <interface>lan</interface> <source> <address>192.168.0.40</address> </source> <destination> <any/> </destination> <descr>allow outgoing UVData</descr> </rule> <rule> <type>pass</type> <interface>lan</interface> <source> <network>lan</network> </source> <destination> <any/> </destination> <frags/> <descr>Default LAN -> any</descr> </rule> <tcpidletimeout/> <bypassstaticroutes/> </filter> <shaper> <pipe> <bandwidth>1800</bandwidth> <descr>Upload Pipe</descr> </pipe> <pipe> <bandwidth>1700</bandwidth> <descr>Download Pipe</descr> </pipe> <queue> <targetpipe>0</targetpipe> <weight>95</weight> <mask>source</mask> <descr>Priority 1 Upload - VoIP and Small Pkg</descr> </queue> <queue> <targetpipe>1</targetpipe> <weight>95</weight> <mask>destination</mask> <descr>Priority 1 Download - VoIP and Small Pkg</descr> </queue> <queue> <targetpipe>0</targetpipe> <weight>4</weight> <mask>source</mask> <descr>Priority #2 Upload - Streaming Media</descr> </queue> <queue> <targetpipe>1</targetpipe> <weight>4</weight> <mask>destination</mask> <descr>Priority #2 download - Streaming media</descr> </queue> <queue> <targetpipe>0</targetpipe> <weight>1</weight> <mask>source</mask> <descr>Priority #3 - Garbage upload. NNTP, FTP, P2P, Etc..</descr> </queue> <queue> <targetpipe>1</targetpipe> <weight>1</weight> <mask>destination</mask> <descr>Priority #3 - Garbage download. NNTP, FTP, P2P, Etc..</descr> </queue> <rule> <interface>wan</interface> <source> <any/> </source> <destination> <address>212.130.83.36</address> </destination> <direction>out</direction> <iplen>0-300</iplen> <iptos/> <tcpflags/> <descr>RTP to telsome Upload</descr> <targetqueue>0</targetqueue> </rule> <rule> <interface>wan</interface> <source> <any/> </source> <destination> <address>193.223.99.20</address> </destination> <direction>out</direction> <iplen>0-300</iplen> <iptos/> <tcpflags/> <descr>RTP to voip6.telsome.com</descr> <targetqueue>0</targetqueue> </rule> <rule> <interface>wan</interface> <source> <address>212.130.83.36</address> </source> <destination> <any/> </destination> <direction>in</direction> <iplen>0-500</iplen> <iptos/> <tcpflags/> <descr>RTP from telsome</descr> <targetqueue>1</targetqueue> </rule> <rule> <interface>wan</interface> <source> <address>193.223.99.20</address> </source> <destination> <any/> </destination> <direction>in</direction> <iplen>0-500</iplen> <iptos/> <tcpflags/> <descr>RTP from voip6.telsome.com</descr> <targetqueue>1</targetqueue> </rule> <rule> <interface>lan</interface> <protocol>icmp</protocol> <source> <any/> </source> <destination> <any/> </destination> <direction>out</direction> <iplen/> <iptos/> <tcpflags/> <descr>outbound ping</descr> <targetqueue>0</targetqueue> </rule> <rule> <interface>wan</interface> <protocol>icmp</protocol> <source> <any/> </source> <destination> <any/> </destination> <direction>in</direction> <iplen/> <iptos/> <tcpflags/> <descr>inbound ping</descr> <targetqueue>1</targetqueue> </rule> <rule> <interface>wan</interface> <source> <any/> </source> <destination> <any/> <port>53</port> </destination> <direction>out</direction> <iplen/> <iptos/> <tcpflags/> <descr>outbount dns queries</descr> <targetqueue>1</targetqueue> </rule> <rule> <interface>lan</interface> <protocol>tcp</protocol> <source> <any/> </source> <destination> <any/> <port>3389</port> </destination> <direction>out</direction> <iplen>0-300</iplen> <iptos/> <tcpflags/> <descr>Outbound Windows RDP (Terminal services) upload</descr> <targetqueue>2</targetqueue> </rule> <rule> <interface>wan</interface> <protocol>tcp</protocol> <source> <any/> </source> <destination> <any/> <port>3389</port> </destination> <direction>in</direction> <iplen/> <iptos/> <tcpflags/> <descr>Inbound Windows RDP (terminal services) download</descr> <targetqueue>3</targetqueue> </rule> <rule> <interface>lan</interface> <protocol>tcp</protocol> <source> <any/> </source> <destination> <any/> <port>5900</port> </destination> <direction>out</direction> <iplen/> <iptos/> <tcpflags/> <descr>Outgoing VNC upload</descr> <targetqueue>2</targetqueue> </rule> <rule> <interface>wan</interface> <protocol>tcp</protocol> <source> <any/> </source> <destination> <any/> <port>5900</port> </destination> <direction>in</direction> <iplen>0-300</iplen> <iptos/> <tcpflags/> <descr>Outgoing VNC download</descr> <targetqueue>3</targetqueue> </rule> <rule> <interface>wan</interface> <protocol>tcp</protocol> <source> <any/> <port>10000</port> </source> <destination> <any/> </destination> <direction>in</direction> <iplen/> <iptos/> <tcpflags/> <descr>Inbound cisco vpn over tcp</descr> <targetqueue>5</targetqueue> </rule> <rule> <interface>wan</interface> <protocol>tcp</protocol> <source> <any/> </source> <destination> <any/> <port>10000</port> </destination> <direction>out</direction> <iplen/> <iptos/> <tcpflags/> <descr>Outbound cisco vpn over tcp</descr> <targetqueue>4</targetqueue> </rule> <rule> <interface>wan</interface> <source> <any/> </source> <destination> <any/> </destination> <direction>in</direction> <iplen/> <iptos/> <tcpflags/> <descr>catch all download</descr> <targetqueue>5</targetqueue> </rule> <rule> <interface>lan</interface> <source> <any/> </source> <destination> <any/> </destination> <direction>out</direction> <iplen/> <iptos/> <tcpflags/> <descr>catch all upload</descr> <targetqueue>4</targetqueue> </rule> <rule> <interface>opt1</interface> <source> <any/> </source> <destination> <any/> </destination> <direction>out</direction> <iplen/> <iptos/> <tcpflags/> <descr>DMZ upload</descr> <targetqueue>4</targetqueue> </rule> <rule> <interface>lan</interface> <source> <any/> </source> <destination> <any/> </destination> <direction>in</direction> <iplen/> <iptos/> <tcpflags/> <descr>DMZ Download</descr> <targetqueue>5</targetqueue> </rule> <enable/> </shaper> <ipsec> <mobilekey> <ident>testkey</ident> <pre-shared-key>detteerentest</pre-shared-key> </mobilekey> </ipsec> <aliases/> <proxyarp> <proxyarpnet> <interface>wan</interface> <network>xxx.yyy.57.5/32</network> <descr>NAT 1:1 corp</descr> </proxyarpnet> <proxyarpnet> <interface>wan</interface> <network>xxx.yyy.57.6/32</network> <descr>NAT 1:1 asmaster</descr> </proxyarpnet> <proxyarpnet> <interface>wan</interface> <network>xxx.yyy.57.7/32</network> <descr>NAT 1:1 ascomet</descr> </proxyarpnet> <proxyarpnet> <interface>wan</interface> <network>xxx.yyy.57.8/32</network> <descr>NAT 1:1 asteroid</descr> </proxyarpnet> <proxyarpnet> <interface>wan</interface> <network>xxx.yyy.57.9/32</network> <descr>company</descr> </proxyarpnet> <proxyarpnet> <interface>wan</interface> <network>xxx.yyy.57.11/32</network> <descr>NAT 1:1 company2</descr> </proxyarpnet> <proxyarpnet> <interface>wan</interface> <network>xxx.yyy.57.4/32</network> <descr>NAT 1:1 to asterisk</descr> </proxyarpnet> </proxyarp> <wol/> </m0n0wall> |