Hi All
I have found a solution to this routing / NATing issue. One thing that
tricked me is that I had IPSEC turned on and this was causing me
problems so I switched it off and got all the routing correct and got
the communications between the servers working.
The IPSEC tunnel was there from some previous works I was doing. :-[
For the record and for anyone else who may want to do this in the future
heres what I did.
PROBLEM
=======
Route traffic from Server#1 to Server#2 and make the connections to
Server#2 appear to be coming from 192.168.22.1
Server#1 eth0 = 192.168.3.20/24
|
|
|
|LAN IP 192.168.3.1/24
---------
monowall#1
---------
|WAN IP = 10.0.0.1/30
|
|
|
|
|WAN IP = 10.0.0.2/30
---------
monowall#2
---------
|OPT1 IP 192.168.22.1/24
|
|
|
|
|eth0 IP = 192.168.22.3/24
------------
Linux Router
------------
|eth1 IP = 192.168.100.1/24
|
|
|
Server#2 eth0 = 192.168.100.2/24
---------------------------------------------------------
ADVANCED OUTBOUND NAT
=====================
m0n0wall#1
Turn Advanced Outbound NAT on - no entries (put the tick in the box only)
m0n0wall#2
Turn Advanced Outbound NAT on
--------- ------ ----------- ------
INTERFACE SOURCE DESTINATION TARGET
--------- ------ ----------- ------
OPT2 192.168.3.0/24 192.168.100.0 *
--------------------------------------------------------
STATIC ROUTES
=============
Server#1
--------
eth0 Default Gateway 192.168.3.1
m0n0wall#1
----------
mm0n0wall#1 WAN Default gateway is 10.0.0.2
No Added Static routes.
m0n0wall#2
----------
--------- ------- -------
INTERFACE NETWORK GATEWAY
--------- ------- -------
OPT1 192.168.100.0/24 192.168.22.3
m0n0wall#2 WAN Default gateway is 10.0.0.1
Linux Router
------------
eth0 Default gateway is 192.168.22.1
No Added Static routes.
Server#2
--------
eth0 Default gateway is 192.168.100.1
---------------------------------------------------------
NOTES
=====
The WAN interfaces on both mono's have the "Block private networks"
option turned off (tick removed from box)
If you have extra interfaces hanging off the m0n0wall#2 say OPT2
(192.168.20.0/24) and you want that network to connect to Server#2 and
appear to come from 192.168.22.1 just create another entry in the
Advanced out bound NAT like this.
--------- ------ ----------- ------
INTERFACE SOURCE DESTINATION TARGET
--------- ------ ----------- ------
OPT2 192.168.20.0/24 192.168.100.0 *
At this point there are no firewall rules on any of the interfaces so
now that the connectivity is working you can go ahead and lock down the
traffic being routed.
Traffic shaping can also be applied where needed.
Mark Wass wrote:
> Hi Chris
>
> I'm stuck again, here's a refresher.
>
> Server#1 192.168.3.20/24
> |
> |
> |
> |LAN IP 192.168.3.1/24
> ---------
> monowall#1
> ---------
> |WAN IP = 10.0.0.1/30
> |
> |
> |
> |
> |WAN IP = 10.0.0.2/30
> ---------
> monowall#2
> ---------
> |OPT1 IP 192.168.22.1/24
> |
> |
> |
> |
> |eth0 IP = 192.168.22.3/24
> ------------
> Linux Router
> ------------
> |eth1 IP = 192.168.100.1/24
> |
> |
> |
> Server#2 192.168.100.2/24
>
> So far my routing allows me to ping from Server#1 all the way through
> to 192.168.22.3 (Linux Router)
>
> Server#2 can ping all the way to 10.0.0.1 (monowall#1)
>
> I'm getting stuck on the static routing, heres what I have:
>
> Advanced outbound NAT turn on at both monowalls
>
> monowall#1 default gateway is 10.0.0.2
> monowall#2 default gaetway is 10.0.0.1
> Linux Router default gateway is 192.168.22.1 (Is this correct for
> allowing Server#1 to connect to Server#2?)
>
> STATIC ROUTES
> =============
>
> monowall#1
> --------- ------- -------
> INTERFACE NETWORK GATEWAY
> --------- ------- -------
> WAN 192.168.100.0/24 10.0.0.2
> WAN 192.168.22.0/24 10.0.0.2
>
> monowall#2
> --------- ------- -------
> INTERFACE NETWORK GATEWAY
> --------- ------- -------
> WAN 192.168.3.0/24 10.0.0.1
> OPT1 192.168.100.0/24 192.168.22.3
>
> Linux Router
> --------- ------- -------
> INTERFACE NETWORK GATEWAY
> --------- ------- -------
> no static routes added, default gateway is 192.168.22.1
>
> ------------------------------------------
>
> I need to be able to ping from Server#1 to Server#2 and vice versa.
>
> Where am I going wrong?
>
>
> Chris Buechler wrote:
>
>> On 11/30/05, Mark Wass <mark dot wass at market dash analyst dot com> wrote:
>>
>>
>>> Sorry Chris, that was a question. Not a statement
>>>
>>>
>>
>>
>> Well, mine was a statement and a question at the same time. :)
>> Should have read "yes. Did you disable NAT?"
>>
>>
>>
>>
>>
>>> Can I route these private subnets. Take a look at my original email and
>>> you'll see what I want to do :-)
>>>
>>>
>>
>>
>> yeah, i missed the earlier part of this thread. Is it possible?
>> Yeah. pretty? absolutely not. But if you absolutely must set it up
>> this way...
>>
>> 1) Do the m0n0walls have default gateway entries? if so, what are
>> they? if you're just routing these private subnets, they aren't
>> required, but whether or not they're defined and what they're defined
>> as could have some impact.
>> 2) as depicted in that diagram, the static route on m0n0wall #2 needs
>> to be on the WAN interface, not LAN as you showed (unless that was a
>> typo). m0n0 #2 may also need a route on the WAN to 192.168.100.0/24,
>> depending on the answer to the above.
>> 3) I'd enable outbound NAT on both of them to completely disable NAT
>> (no rules at all), then I'd probably do a 1:1 mapping between a
>> 192.168.22. IP and server 1's 192.168.3. IP, and add proxy arp on that
>> .22. IP too. From there, as long as the proper firewall rules are in
>> place, everything should work.
>>
>> -Chris
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>
>>
>>
>>
>>
>
| 