[ previous ] [ next ] [ threads ]
 
 From:  Alain Fauconnet <alain at ait dot ac dot th>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  how to allow incoming connections from WAN to LAN? (no NAT)
 Date:  Wed, 23 Nov 2005 17:51:16 +0700
Hello readers,

This is my first posting here. I've browsed the FAQs and the archives
but couldn't find an answer, although I suspect this is a trivial
issue. So I'm hoping for some wisdom here.

I'm using M0n0wall (generic-pc-cdrom v1.2) to provide an
authentication portal to wireless users in the university.

Both LAN and WAN use real IPs, traffic is routed (no bridging), LAN
and WAN are in different IP subnets.

All works very nicely (I'm still wondering how such a great thing  can fit in 6
megs!) except that no connections from the university's main network
(i.e. the WAN) to wireless users (i.e. the LAN) is allowed.
I *can* ping IPs on LAN from WAN, but I can't establish any kind of 
TCP connection to them. That's a pain, because our central a/v
software (Trend Micro's OSCE) relies on server->client TCP connections
to "push" updates (among other reasons).

I have added very permissive rules on both sides of the firewall
(basically allow "* * * * *") to rule out filtering problems.

I can see the incoming connection from an IP on WAN pass through and
reach the client on LAN, but the return packet is blocked (LAN->WAN).
This is confirmed when I enable firewall events in Diagnostics -> Logs
-> Settings. I can see the log entries for the dropped return packet.

The only reference to this I've found is
http://doc.m0n0.ch/handbook/faq-no-nat.html.
I've enabled 'advanced outbound NAT' as advised, but this has made no
change. I'm note sure how it would anyway, since I don't use NAT
at all.

A sanitized copy of the output of status.php can be found at:
http://stweb.ait.ac.th/~alain/Output_of_status.php.html

(I've tried to attach it, but the mailing list manager doesn't
allow postings > 30k)

LAN is 222.222.64.0/23
WAN is 222.222.64.48/30

As you may notice, there's a small "hack": I've hand-edited
the config.xml file to add IP subnets to the list of exceptions to
the portal. The web GUI doesn't let me do this. I can't really imagine
that's the root of my problem, but if it is, please tell me.

Why do I still have NAT taking place? (output of 'ipnat -lv')
Is there any way I can disable NAT completely?

Thanks in advance for any hint,
Greets,
_Alain_