[ previous ] [ next ] [ threads ]
 
 From:  =?UTF-8?Q?W=C5=82odzimierz_Fr=C4=85czek?= <wlodek at widar dot lublin dot pl>
 To:  <waa dash m0n0wall at revpol dot com>
 Cc:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] Can't ping
 Date:  Fri, 24 Feb 2006 17:12:53 +0100 
> WÅ‚odzimierz FrÄ…czek wrote:
>>
>>> WÅ‚odzimierz FrÄ…czek wrote:
>>>
>>>> Hello
>>>>
>>>> I try to use m0n0nowall ver.1.21 but have troubles on begining.
>>>> My first m0n0 NIC ( LAN ) - 192.168.0.20
>>>> I create VLAN ( parent interface - LAN ) and give address 10.0.0.20 (
>>>> OPT1 )
>>>> Next I link my PC ( my address 192.168.0.100 ) to LAN
>>>> I can ping of course to LAN and after adding a trace to the routing
>>>> table in my Windows to OPT1 too.
>>>> But if I change my PC adress to 10.0.0.100 for example I can't ping
>>>> nowhere ( OPT1, LAN )
>>>> Please explain me why ?
>>>>
>>>> WF
>>>>
>>>
>>> Basic reason is that your PC has not been configured to understand/work
>>> with 802.1q (VLANS).
>>>
>>> Your m0n0wall's VLAN interface, listening on 10.0.0.20, will only
>>> respond to packets that are tagged with 802.1q information for the VLAN
>>> you have configured. Your computer is sending NON-802.1q tagged ethernet
>>> frames, and as such your m0n0wall is seeing them on its LAN interface,
>>> and is probably dropping them, or just allowing them to pass (default
>>> m0n0wall LAN rule is to allow all)
>>
>>
>> ----------------
>> As I wrote I can ping to VLAN interface ( OPT1 ) under some circumstaces 
>> :
>> 1. My PC adress : 192.168.0.100
>> 2. My route table entry :
>>   route add 10.0.0.0 mask 255.255.255.0 192.168.0.20
>> I understand that in this case my PC send packet without 802.1q frame
>> and neverthless VLAN interface answer me.
>
> That is correct - Since your PC is connected to m0n0wall's LAN interface
> and is on the same subnet as m0n0wall's LAN IP address is, m0n0wall's
> DEFAULT LAN rule "Allow any to any" allows your ICMP request into its
> LAN interface and then forwards it to its IP address of its VLAN
> interface on the 10.0.0.0/24 network.
>
> In other words, m0n0wall is allowing and then forwarding your ICMP
> requests. That is why it works.
>
>
>> By the way, if  I change one of my NIC card ( INTEL PRO/100 VE )
>> property ( QoS packet tagging ) I still have the same problem.
>> --------------------
>
>
> In this case I am guessing that you probably have not created any rules
> on the VLAN interface. So even if your PC is now properly tagging
> packets for the correct VLAN that your m0n0wall has configured, no rule
> has been added to allow that packet to pass and they will be dropped.
>
> Click on RULES, then select the VLAN tab and add a rule to allow traffic
> from the VLAN subnet.

-----------------
According to instruction I added one rule to OPT1 interface but nothing 
changed.
I expand my system by adding 802.1q compatible switch, create VLAN ( for 
example ID 10 ) mark 1-st port as tagged and 2-nd as untagged.
Next I connect my PC to 2-nd port and m0n0 LAN to 1-st port.
And now I can't ping both neither to LAN neither to VLAN.
I think that now I less understand that system.
Tell me please - in that new configuration - should I see from my PC both 
LAN and VLAN subnets ?
Maybe have I wrong NIC in my m0n0 ( detected as xl - 3com 905b ) ?

Regards
WF