[ previous ] [ next ] [ threads ]
 
 From:  Mark Wass <mark dot wass at market dash analyst dot com>
 Cc:  Chris Buechler <cbuechler at gmail dot com>, m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] m0n0wall Routing and NAT Question
 Date:  Thu, 01 Dec 2005 14:00:35 +1000
Hi All

I have found a solution to this routing / NATing issue. One thing that 
tricked me is that I had IPSEC turned on and this was causing me 
problems so I switched it off and got all the routing correct and got 
the communications between the servers working.

The IPSEC tunnel was there from some previous works I was doing. :-[

For the record and for anyone else who may want to do this in the future 
heres what I did.

PROBLEM
=======

Route traffic from Server#1 to Server#2 and make the connections to 
Server#2 appear to be coming from 192.168.22.1

      Server#1 eth0 = 192.168.3.20/24
         |
         |
         |
         |LAN IP 192.168.3.1/24
     ---------
     monowall#1
     ---------
         |WAN IP = 10.0.0.1/30
         |
         |
         |
         |
         |WAN IP = 10.0.0.2/30
     ---------
     monowall#2
     ---------
         |OPT1 IP 192.168.22.1/24
         |
         |
         |
         |
         |eth0 IP = 192.168.22.3/24
    ------------
    Linux Router
    ------------
         |eth1 IP = 192.168.100.1/24
         |
         |
         |
      Server#2 eth0 = 192.168.100.2/24

---------------------------------------------------------

ADVANCED OUTBOUND NAT
=====================

m0n0wall#1
Turn Advanced Outbound NAT on - no entries (put the tick in the box only)

m0n0wall#2
Turn Advanced Outbound NAT on
---------   ------          -----------    ------
INTERFACE   SOURCE          DESTINATION    TARGET
---------   ------          -----------    ------
OPT2        192.168.3.0/24  192.168.100.0    *

--------------------------------------------------------

STATIC ROUTES
=============

Server#1
--------
eth0 Default Gateway 192.168.3.1

m0n0wall#1
----------
mm0n0wall#1 WAN Default gateway is 10.0.0.2
No Added Static routes.

m0n0wall#2
----------
---------   -------            -------
INTERFACE   NETWORK            GATEWAY
---------   -------            -------
OPT1        192.168.100.0/24   192.168.22.3

m0n0wall#2 WAN Default gateway is 10.0.0.1

Linux Router
------------
eth0 Default gateway is 192.168.22.1
No Added Static routes.


Server#2
--------
eth0 Default gateway is 192.168.100.1

---------------------------------------------------------

NOTES
=====

The WAN interfaces on both mono's have the "Block private networks" 
option turned off (tick removed from box)

If you have extra interfaces hanging off the m0n0wall#2 say OPT2 
(192.168.20.0/24) and you want that network to connect to Server#2 and 
appear to come from 192.168.22.1 just create another entry in the 
Advanced out bound NAT like this.

---------   ------           -----------    ------
INTERFACE   SOURCE           DESTINATION    TARGET
---------   ------           -----------    ------
OPT2        192.168.20.0/24  192.168.100.0    *

At this point there are no firewall rules on any of the interfaces so 
now that the connectivity is working you can go ahead and lock down the 
traffic being routed.

Traffic shaping can also be applied where needed.


Mark Wass wrote:

> Hi Chris
>
> I'm stuck again, here's a refresher.
>
>       Server#1 192.168.3.20/24
>          |
>          |
>          |
>          |LAN IP 192.168.3.1/24
>      ---------
>      monowall#1
>      ---------
>          |WAN IP = 10.0.0.1/30
>          |
>          |
>          |
>          |
>          |WAN IP = 10.0.0.2/30
>      ---------
>      monowall#2
>      ---------
>          |OPT1 IP 192.168.22.1/24
>          |
>          |
>          |
>          |
>          |eth0 IP = 192.168.22.3/24
>     ------------
>     Linux Router
>     ------------
>          |eth1 IP = 192.168.100.1/24
>          |
>          |
>          |
>       Server#2 192.168.100.2/24
>
> So far my routing allows me to ping from Server#1 all the way through 
> to 192.168.22.3 (Linux Router)
>
> Server#2 can ping all the way to 10.0.0.1 (monowall#1)
>
> I'm getting stuck on the static routing, heres what I have:
>
> Advanced outbound NAT turn on at both monowalls
>
> monowall#1 default gateway is 10.0.0.2
> monowall#2 default gaetway is 10.0.0.1
> Linux Router default gateway is 192.168.22.1 (Is this correct for 
> allowing Server#1 to connect to Server#2?)
>
> STATIC ROUTES
> =============
>
> monowall#1
> ---------   -------            -------
> INTERFACE   NETWORK            GATEWAY
> ---------   -------            -------
> WAN         192.168.100.0/24   10.0.0.2
> WAN         192.168.22.0/24    10.0.0.2
>
> monowall#2
> ---------   -------            -------
> INTERFACE   NETWORK            GATEWAY
> ---------   -------            -------
> WAN         192.168.3.0/24     10.0.0.1
> OPT1        192.168.100.0/24   192.168.22.3
>
> Linux Router
> ---------   -------            -------
> INTERFACE   NETWORK            GATEWAY
> ---------   -------            -------
> no static routes added, default gateway is 192.168.22.1
>
> ------------------------------------------
>
> I need to be able to ping from Server#1 to Server#2 and vice versa.
>
> Where am I going wrong?
>
>
> Chris Buechler wrote:
>
>> On 11/30/05, Mark Wass <mark dot wass at market dash analyst dot com> wrote:
>>  
>>
>>> Sorry Chris, that was a question. Not a statement
>>>
>>>   
>>
>>
>> Well, mine was a statement and a question at the same time.  :) 
>> Should have read "yes.  Did you disable NAT?"
>>
>>
>>
>>  
>>
>>> Can I route these private subnets. Take a look at my original email and
>>> you'll see what I want to do :-)
>>>
>>>   
>>
>>
>> yeah, i missed the earlier part of this thread.  Is it possible? 
>> Yeah.  pretty?  absolutely not.  But if you absolutely must set it up
>> this way...
>>
>> 1)  Do the m0n0walls have default gateway entries?  if so, what are
>> they?  if you're just routing these private subnets, they aren't
>> required, but whether or not they're defined and what they're defined
>> as could have some impact.
>> 2)  as depicted in that diagram, the static route on m0n0wall #2 needs
>> to be on the WAN interface, not LAN as you showed (unless that was a
>> typo).  m0n0 #2 may also need a route on the WAN to 192.168.100.0/24,
>> depending on the answer to the above.
>> 3)  I'd enable outbound NAT on both of them to completely disable NAT
>> (no rules at all), then I'd probably do a 1:1 mapping between a
>> 192.168.22. IP and server 1's 192.168.3. IP, and add proxy arp on that
>> .22. IP too.  From there, as long as the proper firewall rules are in
>> place, everything should work.
>>
>> -Chris
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>
>>
>>
>>  
>>
>