[ previous ] [ next ] [ threads ]
 
 From:  "Miguel Dilaj" <nekromancer at lycos dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Problem with public IP address in internal network
 Date:  Mon, 13 Feb 2006 18:31:54 -0500
Hi Mark,

Thanks for your answer.

Currently I've 2 ProxyARP entries, ProxyARP1 mentioned below to maps 10.10.53.251 (public!) to one
system in the private1 network (192.168.5.10). The other entry is similar, but it's even a totally
different port, so I'm sure we can forget about it.

Tried your suggestion, adding a ProxyARP entry for 10.10.57.100 in the WAN interface. Didn't work.
So I also tried 10.10.57.0/24, with the same results...

Take into account that the "misterious system" on 10.10.57.100 has a public IP address, and my ISP
is routing that to me via the m0n0wall external interface (10.10.53.250). So I'm not sure of the
role of using Proxy ARP as you suggested.

Did some extra testing in the mean time (without your suggestion).
I can reach the public server on 10.10.57.100 without any tricks, EXCEPT on port 443. Port 443 is
magically sent to the server on 192.168.5.10
It feels like there's some golden rule saying "any traffic to port 443, no matter the destination IP
address, has to go to the private server" :P

Any other suggestion(s)??
TIA!

Nekromancer



> ----- Original Message -----
> From: "Mark Wass" <mark at market dash analyst dot com>
> To: "Miguel Dilaj" <nekromancer at lycos dot com>
> Subject: Re: [m0n0wall] Problem with public IP address in internal network
> Date: Tue, 14 Feb 2006 09:10:12 +1000
> 
> 
> What do you have in your Proxy ARP settings?
> 
> I have a similar setup and I had to add the DMZ subnet to the Proxy 
> Arp settings in m0n0.
> 
> So in your case if you have not already done so try adding 
> 10.10.57.0/24 to the Proxy Arp settings. The interface will be DMZ
> 
> Hope this helps :-)
> 
> Mark
> 
> Miguel Dilaj wrote:
> 
> > Hi all,
> >
> > New list member here. Tried to find an answer to my problem (even 
> > Google for "public IP address" in m0n0.ch!) but I was too stupid 
> > to find an answer :(
> >
> > DISCLAIMER: for the purpose of my explanation, please asume 
> > 10.10.x.x networks are PUBLIC, and 192.168.y.y are private. 
> > Thanks!!
> >
> > My setup is (more or less) as follows:
> >
> >               Internet
> >                   |
> >                   | Real IP: 10.10.53.250
> >                   | ProxyARP1: 10.10.53.251
> >               ---------
> >               | m0n0  |
> >               ---------
> >                |  |  |
> > PublicDMZ      |  |  |
> > 10.10.57.0/24 -|  |  |- private1/24
> >                   |      192.168.5.0/24
> >                   |
> >                  LAN
> >             private2/24
> >
> > Both public networks, 10.10.53.0/24 and 10.10.57.0/24 are routed 
> > to me by the ISP.
> >
> > The real IP and ProxyARP1 BOTH forward port 443 to 2 servers in 
> > the private1 network. Let's call them 192.168.5.10 and 
> > 192.168.5.20.
> > That's working OK.
> >
> > However, I've a server with a routeable IP address in the 
> > PublicDMZ network (10.10.57.100), also with port 443 open.
> > There is a rule allowing traffic TO 10.10.57.100:443
> >
> > However, it doesn't work, so I did some sniffing both at the 
> > server side and at the client side (the client was my laptop on 
> > the Internet).
> >
> > The client reports connection the CORRECT IP address in PublicDMZ 
> > (10.10.57.200), port 443, and the server properly closing the 
> > connection.
> > The server never receives any packet.
> >
> > When I spotted that result, I started questioning my sanity... so 
> > I investigate further, and found that the packets addressed to 
> > the server in PublicDMZ (10.10.57.200) misteriously go to the 
> > server in the private1 network: 192.168.5.10 (the one "behind" 
> > the real IP of the m0n0wall). The fact that the connection was 
> > closed was due to the nature of that server, nothing to do with 
> > the firewall.
> >
> > So my question is: How is it that packets addressed to a machine 
> > end in another machine, and the sniffer at the client tells me 
> > that they arrived at the correct machine?????
> >
> > What's wrong?
> >
> > TIA!
> >
> > Nekromancer
> >
> >
> >
> >
> >

>


-- 
_______________________________________________

Search for businesses by name, location, or phone number.  -Lycos Yellow Pages

http://r.lycos.com/r/yp_emailfooter/http://yellowpages.lycos.com/default.asp?SRC=lycos10