Re: [m0n0wall] 1:1 NAT works ok, but there's a catch?

From:	"Pete P." <monowallboy at gmail dot com>
To:	m0n0wall at lists dot m0n0 dot ch
Subject:	Re: [m0n0wall] 1:1 NAT works ok, but there's a catch?
Date:	Tue, 22 Nov 2005 23:21:18 +0100
Hi guys,
nat 1:1 was working for me longer than 1yeat without problem but since
last sunday im having problem. I changed wirelles client on my WAN
side. Before i used my wifi WAN client with IP 192.168.10.200 and now
is there 10.2.1.87 - these IPs are only IPs of wirelles client
"bridge-modem" my WAN IP is still same 213.215.X.Y.

Im using http://wiki.m0n0.ch/wikka.php?wakka=AccessingModemOutsideFirewall.
 <shellcmd>ifconfig sis1 inet 10.2.1.87/24 alias</shellcmd>
Before there was 192.168.10.200, now when I have 10.2.1.87 i can see
in the routing tables 10.2.1.1, this could be IP of my ISP...

Now my wifi client  has IP within range of ISP IP addresses, could
this cause this issue?

Any idea?

Pete
///
ipnat -lv
List of active MAP/Redirect filters:
bimap sis1 192.168.100.6/32 -> 213.215.114.233/32
map sis1 from 192.168.100.0/24 to 10.2.1.42/32 -> 10.2.1.87/32 proxy
port ftp ftp/tcp
map sis1 from 192.168.100.0/24 to 10.2.1.42/32 -> 10.2.1.87/32 portmap
tcp/udp auto
map sis1 from 192.168.100.0/24 to 10.2.1.42/32 -> 10.2.1.87/32
map sis1 from 192.168.100.0/24 to 10.2.1.43/32 -> 10.2.1.87/32 proxy
port ftp ftp/tcp
map sis1 from 192.168.100.0/24 to 10.2.1.43/32 -> 10.2.1.87/32 portmap
tcp/udp auto
map sis1 from 192.168.100.0/24 to 10.2.1.43/32 -> 10.2.1.87/32
map sis1 from 192.168.100.0/24 ! to 10.2.1.0/24 -> 0.0.0.0/32 proxy
port ftp ftp/tcp
map sis1 from 192.168.100.0/24 ! to 10.2.1.0/24 -> 0.0.0.0/32 portmap
tcp/udp auto
map sis1 from 192.168.100.0/24 ! to 10.2.1.0/24 -> 0.0.0.0/32
rdr sis1 0.0.0.0/0 port 80 -> 192.168.100.202 port 80 tcp
rdr sis1 0.0.0.0/0 port 83 -> 192.168.100.150 port 83 tcp
rdr sis1 0.0.0.0/0 port 88 -> 192.168.100.101 port 88 tcp
rdr sis1 0.0.0.0/0 port 89 -> 192.168.100.201 port 89 tcp
rdr sis1 0.0.0.0/0 port 5900- 5908 -> 192.168.100.150 port 5900 tcp
rdr sis1 0.0.0.0/0 port 59222 -> 192.168.100.222 port 59222 tcp
rdr sis1 0.0.0.0/0 port 5910 -> 192.168.100.6 port 5910 tcp/udp

///
Routing tables
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            213.215.114.65     UGSc        6  2466863   sis1
10.2.1/24          link#2             UC          2        0   sis1
10.2.1.1           00:90:27:a2:82:72  UHLW        0        0   sis1   1200
10.2.1.87          00:0d:b9:01:0d:19  UHLW        0        3    lo0
127.0.0.1          127.0.0.1          UH          0        0    lo0
192.168.100        link#1             UC         10        0   sis0
192.168.100.6      00:e0:98:c5:c2:e8  UHLW        0    21007   sis0   1089
192.168.100.9      00:4f:62:00:4f:10  UHLW        0     6904   sis0    698
192.168.100.11     00:e0:98:c5:b5:f9  UHLW        0    45736   sis0   1152
192.168.100.13     00:e0:98:c5:b5:f9  UHLW        0    13093   sis0    206
192.168.100.16     00:4f:62:01:ff:92  UHLW        1        9   sis0   1187
192.168.100.20     00:4f:62:02:6d:1d  UHLW        0    11147   sis0    995
192.168.100.23     00:4f:62:02:5a:68  UHLW        0    10339   sis0    800
192.168.100.24     00:4f:62:02:ea:77  UHLW        0      822   sis0   1199
192.168.100.28     link#1             UHLW        1    73818   sis0
192.168.100.33     00:4f:62:00:5c:ec  UHLW        1   158861   sis0
213.215.114.64/27  link#2             UC          2        0   sis1
213.215.114.65     00:90:27:a2:82:72  UHLW        6       10   sis1    990
213.215.114.87     00:0d:b9:01:0d:19  UHLW        0        3    lo0










2005/11/22, brett at woollum dot com <brett at woollum dot com>:
> Ok, i got it all working ok.
>
> I have the 1:1 NAT set up still, but what I was doing before was adding
> the firewall rules to the LAN interface. I needed to add them to the
> WAN interface, yet still with the LAN IP (didnt make sense to do it
> like this at first - but i get it now).
>
> All seems well! Thanks!
>
> > -------- Original Message --------
> > Subject: Re: [m0n0wall] 1:1 NAT works ok, but there's a catch?
> > From: Chris Buechler <cbuechler at gmail dot com>
> > Date: Mon, November 21, 2005 8:27 am
> > To:
> > Cc: m0n0wall at lists dot m0n0 dot ch
> >
> > On 11/21/05, brett at woollum dot com <brett at woollum dot com> wrote:
> > > Whoops! I do actually have different external IP's there! I just forgot
> > > to change it because I used copy/paste in that email. The Maincomputer
> > > is on 198, and the server is on 251.  I am STILL trying to forward
> > > these ports so maybe someone has another idea? Thanks!
> > >
> >
> > do you see the traffic getting dropped every time?  If not, if you
> > enable logging on the pass rule do you see it getting passed?  If you
> > go to whatismyip.com from the internal hosts, does it indeed show them
> > being properly 1:1 NAT'ed to that public IP?  What exactly is the
> > firewall rule (should be source IP any, source port any, destination
> > IP the private IP of the box, destination port which ever service you
> > want open (80 or whatever)).
> >
> > -Chris
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> > For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>