[ previous ] [ next ] [ threads ]
 From:  dave at rodrig dot com
 To:  "Christopher Iarocci" <iarocci at eastendsc dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] static route problem??
 Date:  Tue, 13 Jan 2004 01:19:09 -0500 (EST)
> I'm not sure, but I think I've come across a static route configuration
> problem.  I am trying to point a static route that goes from my Opt1
> interface, to my LAN interface.  My Opt1 interface is on a seperate
> subnet than my LAN.  So, I set up a route that pertains to Opt1
> interface, along with the destination network, and the IP of my LAN
> interface as the gateway.  Now, I realize that this is not an entirely
> correct way to make a static route (the gateway should be another router
> connected to the m0n0wall), however, when I do a tracert  to the
> destination, my LAN IP never comes up.  It times out right after the
> Opt1 interface.  Also, if I do a tracert to the network from a machine
> hooked to the LAN subnet, I get a double hop at the LAN interface.  I
> wouldn't expect that since the rule was entered to pertain to the Opt1
> interface, so I assumed it wouldn't affect the LAN interface at all.
> Also, when looking at the status.php page,  the routing table shows xl0
> under the netif column.  xl0 is my LAN interface, while an0 is my Opt1
> interface.  Shouldn't it show an0 under netif?  Have I found a bug?
> BTW, I am running version pb23r570.
> Chris

maybe it's just late, but i lost you about halfway through (I've read it
several times...)

At first it seems like you're trying to go into your LAN (from the DMZ),
then it seems as if you're talking about the other direction....a diagram
might help.

if you're talking about traffic originating in your LAN and destined for
the network off the OPT1 interface (i'll refer to as your DMZ), then you
shouldn't need anything other than your default route, using the ip
address of your LAN interface. Once the FW receives packets destined for
that network, it knows what to do with them since it's a locally connected
network. Unless you've changed the default ruleset substantially, that
shouldn't be an issue either, as the LAN is allowed to go anywhere.

if you're talking about DMZ --> LAN traffic, then the routing issue is the
same, LAN is locally connected so the FW knows where to send them. FW
rules will need to allow this traffic. If the LAN you are referring to
*isn't* locally connected (say behind a router in your LAN), the you do,
in fact, need a static route on the FW itself, otherwise it'll try and
send these packets out the WAN interface (due to the default route).

If I'm missing something obvious here and I'm way off the mark, disregard
everything I just said...maybe I'll make more sense in the morning. :-)