[ previous ] [ next ] [ threads ]
 
 From:  mtnbkr <waa dash m0n0wall at revpol dot com>
 To:  =?UTF-8?B?V8WCb2R6aW1pZXJ6IEZyxIVjemVr?= <wlodek at widar dot lublin dot pl>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Can't ping
 Date:  Fri, 24 Feb 2006 19:51:33 -0500
Włodzimierz Frączek wrote:
> 
>> Włodzimierz Frączek wrote:
>>
>>>
>>>> Włodzimierz Frączek wrote:
>>>>
>>>>> Hello
>>>>>
>>>>> I try to use m0n0nowall ver.1.21 but have troubles on begining.
>>>>> My first m0n0 NIC ( LAN ) - 192.168.0.20
>>>>> I create VLAN ( parent interface - LAN ) and give address 10.0.0.20 (
>>>>> OPT1 )
>>>>> Next I link my PC ( my address 192.168.0.100 ) to LAN
>>>>> I can ping of course to LAN and after adding a trace to the routing
>>>>> table in my Windows to OPT1 too.
>>>>> But if I change my PC adress to 10.0.0.100 for example I can't ping
>>>>> nowhere ( OPT1, LAN )
>>>>> Please explain me why ?
>>>>>
>>>>> WF
>>>>>
>>>>
>>>> Basic reason is that your PC has not been configured to understand/work
>>>> with 802.1q (VLANS).
>>>>
>>>> Your m0n0wall's VLAN interface, listening on 10.0.0.20, will only
>>>> respond to packets that are tagged with 802.1q information for the VLAN
>>>> you have configured. Your computer is sending NON-802.1q tagged
>>>> ethernet
>>>> frames, and as such your m0n0wall is seeing them on its LAN interface,
>>>> and is probably dropping them, or just allowing them to pass (default
>>>> m0n0wall LAN rule is to allow all)
>>>
>>>
>>>
>>> ----------------
>>> As I wrote I can ping to VLAN interface ( OPT1 ) under some
>>> circumstaces :
>>> 1. My PC adress : 192.168.0.100
>>> 2. My route table entry :
>>>   route add 10.0.0.0 mask 255.255.255.0 192.168.0.20
>>> I understand that in this case my PC send packet without 802.1q frame
>>> and neverthless VLAN interface answer me.
>>
>>
>> That is correct - Since your PC is connected to m0n0wall's LAN interface
>> and is on the same subnet as m0n0wall's LAN IP address is, m0n0wall's
>> DEFAULT LAN rule "Allow any to any" allows your ICMP request into its
>> LAN interface and then forwards it to its IP address of its VLAN
>> interface on the 10.0.0.0/24 network.
>>
>> In other words, m0n0wall is allowing and then forwarding your ICMP
>> requests. That is why it works.
>>
>>
>>> By the way, if  I change one of my NIC card ( INTEL PRO/100 VE )
>>> property ( QoS packet tagging ) I still have the same problem.
>>> --------------------
>>
>>
>>
>> In this case I am guessing that you probably have not created any rules
>> on the VLAN interface. So even if your PC is now properly tagging
>> packets for the correct VLAN that your m0n0wall has configured, no rule
>> has been added to allow that packet to pass and they will be dropped.
>>
>> Click on RULES, then select the VLAN tab and add a rule to allow traffic
>> from the VLAN subnet.
> 
> 
> -----------------
> According to instruction I added one rule to OPT1 interface but nothing
> changed.
> I expand my system by adding 802.1q compatible switch, create VLAN ( for
> example ID 10 ) mark 1-st port as tagged and 2-nd as untagged.
> Next I connect my PC to 2-nd port and m0n0 LAN to 1-st port.
> And now I can't ping both neither to LAN neither to VLAN.
> I think that now I less understand that system.
> Tell me please - in that new configuration - should I see from my PC
> both LAN and VLAN subnets ?
> Maybe have I wrong NIC in my m0n0 ( detected as xl - 3com 905b ) ?
> 
> Regards
> WF


Włodzimierz let's start from the beginning.

  :)


I was going to write you a rather long, involved email explaining all
the issues you are experiencing and why, and how to fix them, BUT here
is something that will take you from start to finish with respect to
m0n0wall and VLANS.

http://wiki.m0n0.ch/wikka.php?wakka=VLAN&show_comments=1


--
Bill Arlofski
Reverse Polarity