[ previous ] [ next ] [ threads ]
 
 From:  "ciaran dot montgomery at ntlworld dot com" <ciaran dot montgomery at ntlworld dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  [m0n0wall] Problem with Remote Desktop
 Date:  Tue, 14 Feb 2006 05:23:02 -0500
Hi,

I have been having a serious problem with M0n0 forwarding RDP (TCP 3389)
packets to a LAN client. Even though I specifically create a rule to allow
it, the m0n0 still blocks packets. Can someone give me the exact rule that
they are currently using so that I can try to replicate this. It has been
doing my brain in. 

Also, I want to setup the Firewall only to allow specific ports through the
m0n0 both on the internal and external side. I have around 40 PC's, and
daily traffic would be about 1Gb of general web traffic plus about 7000
emails, can anyone help me guess the hardware requirements, I was aiming on
using an AMP Athlon XP 1.2Ghz with 256Mb ram and some sort of compact flash
card, this should be sufficient?

Thanks,

Ciaran


Original Message:
-----------------
From: Miguel Dilaj nekromancer at lycos dot com
Date: Tue, 14 Feb 2006 04:30:49 -0500
To: m0n0wall at lists dot m0n0 dot ch
Subject: Re: [m0n0wall] Problem with public IP address in internal network


Thanks for your answer and the document Jonathan.

Regretably, this is more or less what I have at the moment. The only
difference is that instead of being too permisive allowing all traffic
to/from OPT1, I'm allowing traffic to port 443 of a single server (outgoing
traffic is a bit more permissive).

I'm NAT'ing the private network, and I'm using "advanced outbound NAT".

My problems smells like a bug, but I just want to check IF I misconfigured
something...

Packets for "IP1:443", that's the server in the routable network at OPT1,
end in "IP2:443", that's a NAT'ed server in the private network at OPT2
(that is seen externally as port 443 on the m0n0wall WAN interface).
M0n0wall is sending the traffic there for some reason not explained by the
rules...
I can reach other ports, for example 80, of the server at IP1 without
problems.

Cheers,

Nekromancer



> ----- Original Message -----
> From: "Jonathan Karras" <jkarras at karras dot net>
> To: "Miguel Dilaj" <nekromancer at lycos dot com>
> Subject: Re: [m0n0wall] Problem with public IP address in internal network
> Date: Mon, 13 Feb 2006 20:36:55 -0700
> 
> 
> I think you may need to go in and create your own NAT rules.
> 
> Attached is a PDF explaining what to do. Mind you this has not been
> tested by me yet. But should work let me know if this helps. After I get
>   it tested and have some time off school I would like to move it to the
> M0n0wall wiki.
> 
> Jonathan
> 
> Miguel Dilaj wrote:
> > Hi Mark,
> >
> > Thanks for your answer.
> >
> > Currently I've 2 ProxyARP entries, ProxyARP1 mentioned below to 
> > maps 10.10.53.251 (public!) to one system in the private1 network 
> > (192.168.5.10). The other entry is similar, but it's even a 
> > totally different port, so I'm sure we can forget about it.
> >
> > Tried your suggestion, adding a ProxyARP entry for 10.10.57.100 
> > in the WAN interface. Didn't work.
> > So I also tried 10.10.57.0/24, with the same results...
> >
> > Take into account that the "misterious system" on 10.10.57.100 
> > has a public IP address, and my ISP is routing that to me via the 
> > m0n0wall external interface (10.10.53.250). So I'm not sure of 
> > the role of using Proxy ARP as you suggested.
> >
> > Did some extra testing in the mean time (without your suggestion).
> > I can reach the public server on 10.10.57.100 without any tricks, 
> > EXCEPT on port 443. Port 443 is magically sent to the server on 
> > 192.168.5.10
> > It feels like there's some golden rule saying "any traffic to 
> > port 443, no matter the destination IP address, has to go to the 
> > private server" :P
> >
> > Any other suggestion(s)??
> > TIA!
> >
> > Nekromancer
> >
> >
> >
> >
> >> ----- Original Message -----
> >> From: "Mark Wass" <mark at market dash analyst dot com>
> >> To: "Miguel Dilaj" <nekromancer at lycos dot com>
> >> Subject: Re: [m0n0wall] Problem with public IP address in internal
network
> >> Date: Tue, 14 Feb 2006 09:10:12 +1000
> >>
> >>
> >> What do you have in your Proxy ARP settings?
> >>
> >> I have a similar setup and I had to add the DMZ subnet to the 
> >> Proxy Arp settings in m0n0.
> >>
> >> So in your case if you have not already done so try adding 
> >> 10.10.57.0/24 to the Proxy Arp settings. The interface will be 
> >> DMZ
> >>
> >> Hope this helps :-)
> >>
> >> Mark
> >>
> >> Miguel Dilaj wrote:
> >>
> >>
> >>> Hi all,
> >>>
> >>> New list member here. Tried to find an answer to my problem 
> >>> (even Google for "public IP address" in m0n0.ch!) but I was too 
> >>> stupid to find an answer :(
> >>>
> >>> DISCLAIMER: for the purpose of my explanation, please asume 
> >>> 10.10.x.x networks are PUBLIC, and 192.168.y.y are private. 
> >>> Thanks!!
> >>>
> >>> My setup is (more or less) as follows:
> >>>
> >>>              Internet
> >>>                  |
> >>>                  | Real IP: 10.10.53.250
> >>>                  | ProxyARP1: 10.10.53.251
> >>>              ---------
> >>>              | m0n0  |
> >>>              ---------
> >>>               |  |  |
> >>> PublicDMZ      |  |  |
> >>> 10.10.57.0/24 -|  |  |- private1/24
> >>>                  |      192.168.5.0/24
> >>>                  |
> >>>                 LAN
> >>>            private2/24
> >>>
> >>> Both public networks, 10.10.53.0/24 and 10.10.57.0/24 are 
> >>> routed to me by the ISP.
> >>>
> >>> The real IP and ProxyARP1 BOTH forward port 443 to 2 servers in 
> >>> the private1 network. Let's call them 192.168.5.10 and 
> >>> 192.168.5.20.
> >>> That's working OK.
> >>>
> >>> However, I've a server with a routeable IP address in the 
> >>> PublicDMZ network (10.10.57.100), also with port 443 open.
> >>> There is a rule allowing traffic TO 10.10.57.100:443
> >>>
> >>> However, it doesn't work, so I did some sniffing both at the 
> >>> server side and at the client side (the client was my laptop on 
> >>> the Internet).
> >>>
> >>> The client reports connection the CORRECT IP address in 
> >>> PublicDMZ (10.10.57.200), port 443, and the server properly 
> >>> closing the connection.
> >>> The server never receives any packet.
> >>>
> >>> When I spotted that result, I started questioning my sanity... 
> >>> so I investigate further, and found that the packets addressed 
> >>> to the server in PublicDMZ (10.10.57.200) misteriously go to 
> >>> the server in the private1 network: 192.168.5.10 (the one 
> >>> "behind" the real IP of the m0n0wall). The fact that the 
> >>> connection was closed was due to the nature of that server, 
> >>> nothing to do with the firewall.
> >>>
> >>> So my question is: How is it that packets addressed to a 
> >>> machine end in another machine, and the sniffer at the client 
> >>> tells me that they arrived at the correct machine?????
> >>>
> >>> What's wrong?
> >>>
> >>> TIA!
> >>>
> >>> Nekromancer
> >>>
> >>>
> >>>
> >>>
> >>>
> >
> >
> >
> >
> << m0n0route.pdf >>
> << signature.asc >>

>


-- 
_______________________________________________

Search for businesses by name, location, or phone number.  -Lycos Yellow
Pages

http://r.lycos.com/r/yp_emailfooter/http://yellowpages.lycos.com/default.asp
?SRC=lycos10


---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch


--------------------------------------------------------------------
mail2web - Check your email from the web at
http://mail2web.com/ .