[ previous ] [ next ] [ threads ]
 
 From:  "Lee Sharp" <leesharp at hal dash pc dot org>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] no WAN access to DMZ http
 Date:  Mon, 6 Mar 2006 21:41:08 -0600
From: "Steve Johnson" <sjohnson at warpdriveonline dot com>
> Lee Sharp wrote:
>> From: "Steve Johnson" <sjohnson at warpdriveonline dot com>
>>> Steve Johnson wrote:
>>>> Lee Sharp wrote:

>>>>> Is your m0n0wall web interface http or https?  If http, it could be 
>>>>> the antilockout rule.  Try changing m0n0wall to https and see if it 
>>>>> works.

>>>> Good idea, but no, that wasn't it. I switched webGUI protocol to https 
>>>> and rebooted the firewall. I still get a connection timeout from the 
>>>> accessing browser, and no record of the access attempt in the log.

>>> I checked with the ISP and found out that they block port 25, but 
>>> nothing else. So now I'm really stumped as to why I'm not seeing http 
>>> access attempts in the firewall log.

>> To get in you need both a inbound NAT rule, and a firewall rule.  An easy 
>> check is to flip back to http for m0n0wall and turn off the inbound NAT. 
>> If you get the m0n0wall page, you have the firewall rule OK.  If not, you 
>> need to open up the firewall more.  If you do get it, look at your 
>> inbound NAT rule.

> [ Problem summary: I can't access http server in the DMZ from WAN 
> interface. From the LAN interface, it's fine. ]

> I set the webGUI back to http and deleted the NAT rule. When I browse the 
> WAN IP address from outside, I get the same result -- a connection timeout 
> at the browser and no indication of an access attempt in the log. I then 
> rewrote the one WAN rule to pass all traffic inbound to any http port on 
> any interface. Still nothing and still no log entries.

Getting there!  backup your config.  It is a xml file and wordpad reads it 
fine.  Find your firewall rule.  One should look like this;
  <rule>
   <type>pass</type>
   <interface>wan</interface>
   <protocol>tcp</protocol>
   <source>
    <any/>
   </source>
   <destination>
    <any/>
    <port>80</port>
   </destination>
   <descr>Allow remote admin</descr>
  </rule>
If it doesn't, make it look like that.  (However, the <descr> can be 
anything.  Now try the web admin again.  If it still fails, you are not 
getting to m0n0wall.  It is time to look at your network.

                        Lee