Take a look at the hidden status.php page. I think that your traffic may be
being blocked by the anti-spoofing rules that are generated for each
----- Original Message -----
From: "Brandon Kahler" <bkahler at techline dot com>
To: <m0n0wall at lists dot m0n0 dot ch>
Sent: Sunday, February 12, 2006 1:34 AM
Subject: [m0n0wall] Help with secondary addressing
>I need some assistance with getting secondary addressing and firewall rules
> playing nice together.
> I found in some previous mailing list messages the config lines for adding
> secondary addresses to an interface. These are the lines out of the
> I'm working with.
> <shellcmd>ifconfig vlan0 alias 172.16.100.1/24</shellcmd>
> <shellcmd>ifconfig vlan1 alias 172.16.101.1/24</shellcmd>
> <shellcmd>ifconfig vlan2 alias 172.16.102.1/24</shellcmd>
> <shellcmd>ifconfig vlan3 alias 172.16.103.1/24</shellcmd>
> <shellcmd>ifconfig vlan4 alias 172.16.104.1/24</shellcmd>
> <shellcmd>ifconfig vlan5 alias 172.16.105.1/24</shellcmd>
> <shellcmd>ifconfig vlan6 alias 172.16.106.1/24</shellcmd>
> <shellcmd>ifconfig vlan7 alias 172.16.107.1/24</shellcmd>
> <shellcmd>ifconfig vlan8 alias 172.16.108.1/24</shellcmd>
> <shellcmd>ifconfig vlan9 alias 172.16.109.1/24</shellcmd>
> <shellcmd>ifconfig vlan10 alias 172.16.110.1/24</shellcmd>
> The site in question uses m0n0wall at their core simply as a router. We
> defined all their subnets (real IPs) to VLAN interfaces and created
> rules for all interfaces.
> The site wanted to have secondary addressing available at each site for
> equipment such as printers, WAPs, network electronics, etc.. that did not
> need real/valid IPs. I've used secondary addressing in this way at many
> locations with Cisco and Allied Telesyn gear without an issue.
> I used the config statements above to create the secondary addressing and
> could in fact ping every one of those .1 addresses. So I "assumed"
> everything worked fine. Come to find out this is not the case. Even
> there are firewall rules for Any/Any on every single interface the
> blocks traffic coming from the secondary ranges.
> A client from any VLAN can ping a host (example: 172.16.100.10 on VLAN0)
> just fine and get 100% responses. That very client (172.16.100.10) cannot
> ping its gateway, nor any other host outside it's own subnet. The
> log shows every packet coming from .10 as denied.
> What gives? Is there a way to just turn the firewall component off
> entirely, rather than simply Any/Any rules everywhere? Why would m0n0wall
> block traffic coming from the alias subnets?
> Brandon Kahler
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch