[ previous ] [ next ] [ threads ]
 
 From:  "Kristian Shaw" <monowall at wealdclose dot co dot uk>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] Help with secondary addressing
 Date:  Sun, 12 Feb 2006 11:59:48 -0000
Hello,

Take a look at the hidden status.php page. I think that your traffic may be
being blocked by the anti-spoofing rules that are generated for each
interface.

Regards,

Kris.

----- Original Message ----- 
From: "Brandon Kahler" <bkahler at techline dot com>
To: <m0n0wall at lists dot m0n0 dot ch>
Sent: Sunday, February 12, 2006 1:34 AM
Subject: [m0n0wall] Help with secondary addressing


>I need some assistance with getting secondary addressing and firewall rules
> playing nice together.
>
> I found in some previous mailing list messages the config lines for adding
> secondary addresses to an interface.  These are the lines out of the 
> config
> I'm working with.
>
> <shellcmd>ifconfig vlan0 alias 172.16.100.1/24</shellcmd>
> <shellcmd>ifconfig vlan1 alias 172.16.101.1/24</shellcmd>
> <shellcmd>ifconfig vlan2 alias 172.16.102.1/24</shellcmd>
> <shellcmd>ifconfig vlan3 alias 172.16.103.1/24</shellcmd>
> <shellcmd>ifconfig vlan4 alias 172.16.104.1/24</shellcmd>
> <shellcmd>ifconfig vlan5 alias 172.16.105.1/24</shellcmd>
> <shellcmd>ifconfig vlan6 alias 172.16.106.1/24</shellcmd>
> <shellcmd>ifconfig vlan7 alias 172.16.107.1/24</shellcmd>
> <shellcmd>ifconfig vlan8 alias 172.16.108.1/24</shellcmd>
> <shellcmd>ifconfig vlan9 alias 172.16.109.1/24</shellcmd>
> <shellcmd>ifconfig vlan10 alias 172.16.110.1/24</shellcmd>
>
> The site in question uses m0n0wall at their core simply as a router.  We
> defined all their subnets (real IPs) to VLAN interfaces and created 
> Any/Any
> rules for all interfaces.
> The site wanted to have secondary addressing available at each site for
> equipment such as printers, WAPs, network electronics, etc.. that did not
> need real/valid IPs.  I've used secondary addressing in this way at many
> locations with Cisco and Allied Telesyn gear without an issue.
>
> I used the config statements above to create the secondary addressing and 
> I
> could in fact ping every one of those .1 addresses.  So I "assumed"
> everything worked fine.  Come to find out this is not the case.  Even 
> though
> there are firewall rules for Any/Any on every single interface the 
> firewall
> blocks traffic coming from the secondary ranges.
>
> A client from any VLAN can ping a host (example: 172.16.100.10 on VLAN0)
> just fine and get 100% responses.  That very client (172.16.100.10) cannot
> ping its gateway, nor any other host outside it's own subnet.  The 
> firewall
> log shows every packet coming from .10 as denied.
>
> What gives?  Is there a way to just turn the firewall component off
> entirely, rather than simply Any/Any rules everywhere?  Why would m0n0wall
> block traffic coming from the alias subnets?
>
> Thanks,
> Brandon Kahler
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>