[ previous ] [ next ] [ threads ]
 From:  "Miguel Dilaj" <nekromancer at lycos dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Problem with public IP address in internal network
 Date:  Sat, 18 Feb 2006 14:08:28 -0500
Dear Sai,

Thanks for your answer and the reference, but I already read that before.
In the mean time, I solved the issue, but it's still not clear WHY m0n0wall behave that way, so I'll
post my results here and will leave to the m0n0wall people to decide if it was a bug or I'm simply
too stupid to understand the instructions ;-)

My setup consisted of the m0n0wall, a DMZ with public (routeable) IP addresses, a second DMZ with
private IP addresses, and the LAN (actually is a bit more complex than that, but it doesn't matter
for the current issue...)

The external m0n0wall interface has an IP address in a subnet different to the routeable DMZ, let's
call it IP1, and also has a proxy ARP entry, let's call it IP1_1.

I have 2 systems in the private DMZ that require port 443 to be reachable from the Internet (let's
call those IP2 and IP3), so I implemented inbound NAT on IP1:443 and IP1_1:443 pointing to these 2
systems. That worked like a charm.

But then I needed a server in the public DMZ to be reachable on ports 80 and 443. Let's call it IP4.
I ASSUMED that because that network was routeable, only the firewall rules allowing the traffic were

IP1 - external IP of the m0n0wall
IP1_1 - a proxy ARP on the extenal interface of the m0n0wall
IP2, IP3 - systems in the private DMZ
IP4 - a system in the routeable DMZ

When packets arrived to IP1:443 they ended in IP2:443, that was correct.
When packets arrived to IP1_1:443 they ended in IP3:443, that was correct.
When packets arrived to the m0n0wall with a destination of IP4:80 they ended in IP4:80, that was
also correct.
When packets arrived to the m0n0wall with a destination of IP4:443 they ended in IP2:443, and IMHO
this is definitely wrong...
The m0n0wall behaved as if ANY packet with destination port 443, no matter the destination IP
address, should end in the NATed system behind IP1:443.

Solution? Quite simple, I created another proxy ARP entry, IP1_2, and NATed IP2 behind it, thus not
NATing ANYTHING behind IP1 on ANY port.
Now packets with a destination of IP4:443 properly end in the IP4 system...

It definitely looks strange to me, and it's not the behaviour I should expect from pure logic, but
again it can be that this is discussed somewhere and I just missed the point.

Thanks for all the help so far.


> ----- Original Message -----
> From: sai <sonicsai at gmail dot com>
> To: "Miguel Dilaj" <nekromancer at lycos dot com>
> Subject: Re: [m0n0wall] Problem with public IP address in internal network
> Date: Fri, 17 Feb 2006 10:47:15 +0500
> On 2/14/06, Miguel Dilaj <nekromancer at lycos dot com> wrote:
> > Thanks for your answer and the document Jonathan.
> >
> > Regretably, this is more or less what I have at the moment. The 
> > only difference is that instead of being too permisive allowing 
> > all traffic to/from OPT1, I'm allowing traffic to port 443 of a 
> > single server (outgoing traffic is a bit more permissive).
> >
> > I'm NAT'ing the private network, and I'm using "advanced outbound NAT".
> >
> Take a look at http://doc.m0n0.ch/handbook/examples.html
> "14.1. Configuring a DMZ Interface Using NAT" is probably what you are
> looking for. I think that you will mess things up if you use "advanced
> outbound NAT".
> sai



Search for businesses by name, location, or phone number.  -Lycos Yellow Pages