[ previous ] [ next ] [ threads ]
 
 From:  "Brandon Kahler" <bkahler at techline dot com>
 To:  "Kristian Shaw" <monowall at wealdclose dot co dot uk>, <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] Help with secondary addressing
 Date:  Sun, 12 Feb 2006 15:40:57 -0800
First, I didn't know that status.php page existed.  Thanks!

Second, the config has been rolled back to not include any alias addresses
so I won't be able to test for a few days.  There is one interface (not
alias) currently using a 172.16.1.x range and the WAN even uses a 10.0.0.x
range (peering interface).  Both of these interfaces work fine.
I remembered we also tried adding a valid range (real IPs) as alias address
space and it was also blocked by the firewall outbound.

Brandon,

-----Original Message-----
From: Kristian Shaw [mailto:monowall at wealdclose dot co dot uk]
Sent: Sunday, February 12, 2006 4:00 AM
To: m0n0wall at lists dot m0n0 dot ch
Subject: Re: [m0n0wall] Help with secondary addressing


Hello,

Take a look at the hidden status.php page. I think that your traffic may be
being blocked by the anti-spoofing rules that are generated for each
interface.

Regards,

Kris.

----- Original Message -----
From: "Brandon Kahler" <bkahler at techline dot com>
To: <m0n0wall at lists dot m0n0 dot ch>
Sent: Sunday, February 12, 2006 1:34 AM
Subject: [m0n0wall] Help with secondary addressing


>I need some assistance with getting secondary addressing and firewall rules
> playing nice together.
>
> I found in some previous mailing list messages the config lines for adding
> secondary addresses to an interface.  These are the lines out of the
> config
> I'm working with.
>
> <shellcmd>ifconfig vlan0 alias 172.16.100.1/24</shellcmd>
> <shellcmd>ifconfig vlan1 alias 172.16.101.1/24</shellcmd>
> <shellcmd>ifconfig vlan2 alias 172.16.102.1/24</shellcmd>
> <shellcmd>ifconfig vlan3 alias 172.16.103.1/24</shellcmd>
> <shellcmd>ifconfig vlan4 alias 172.16.104.1/24</shellcmd>
> <shellcmd>ifconfig vlan5 alias 172.16.105.1/24</shellcmd>
> <shellcmd>ifconfig vlan6 alias 172.16.106.1/24</shellcmd>
> <shellcmd>ifconfig vlan7 alias 172.16.107.1/24</shellcmd>
> <shellcmd>ifconfig vlan8 alias 172.16.108.1/24</shellcmd>
> <shellcmd>ifconfig vlan9 alias 172.16.109.1/24</shellcmd>
> <shellcmd>ifconfig vlan10 alias 172.16.110.1/24</shellcmd>
>
> The site in question uses m0n0wall at their core simply as a router.  We
> defined all their subnets (real IPs) to VLAN interfaces and created
> Any/Any
> rules for all interfaces.
> The site wanted to have secondary addressing available at each site for
> equipment such as printers, WAPs, network electronics, etc.. that did not
> need real/valid IPs.  I've used secondary addressing in this way at many
> locations with Cisco and Allied Telesyn gear without an issue.
>
> I used the config statements above to create the secondary addressing and
> I
> could in fact ping every one of those .1 addresses.  So I "assumed"
> everything worked fine.  Come to find out this is not the case.  Even
> though
> there are firewall rules for Any/Any on every single interface the
> firewall
> blocks traffic coming from the secondary ranges.
>
> A client from any VLAN can ping a host (example: 172.16.100.10 on VLAN0)
> just fine and get 100% responses.  That very client (172.16.100.10) cannot
> ping its gateway, nor any other host outside it's own subnet.  The
> firewall
> log shows every packet coming from .10 as denied.
>
> What gives?  Is there a way to just turn the firewall component off
> entirely, rather than simply Any/Any rules everywhere?  Why would m0n0wall
> block traffic coming from the alias subnets?
>
> Thanks,
> Brandon Kahler
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>



---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch