[ previous ] [ next ] [ threads ]
 From:  Steve Johnson <sjohnson at warpdriveonline dot com>
 To:  Lee Sharp <leesharp at hal dash pc dot org>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] no WAN access to DMZ http
 Date:  Mon, 06 Mar 2006 21:37:53 -0700
>>>>>> Is your m0n0wall web interface http or https?  If http, it could 
>>>>>> be the antilockout rule.  Try changing m0n0wall to https and see 
>>>>>> if it works.
>>>>> Good idea, but no, that wasn't it. I switched webGUI protocol to 
>>>>> https and rebooted the firewall. I still get a connection timeout 
>>>>> from the accessing browser, and no record of the access attempt in 
>>>>> the log.
>>>> I checked with the ISP and found out that they block port 25, but 
>>>> nothing else. So now I'm really stumped as to why I'm not seeing 
>>>> http access attempts in the firewall log.
>>> To get in you need both a inbound NAT rule, and a firewall rule.  An 
>>> easy check is to flip back to http for m0n0wall and turn off the 
>>> inbound NAT. If you get the m0n0wall page, you have the firewall 
>>> rule OK.  If not, you need to open up the firewall more.  If you do 
>>> get it, look at your inbound NAT rule.
>> [ Problem summary: I can't access http server in the DMZ from WAN 
>> interface. From the LAN interface, it's fine. ]
>> I set the webGUI back to http and deleted the NAT rule. When I browse 
>> the WAN IP address from outside, I get the same result -- a 
>> connection timeout at the browser and no indication of an access 
>> attempt in the log. I then rewrote the one WAN rule to pass all 
>> traffic inbound to any http port on any interface. Still nothing and 
>> still no log entries.
> Getting there!  backup your config.  It is a xml file and wordpad 
> reads it fine.  Find your firewall rule.  One should look like this;
>  <rule>
>   <type>pass</type>
>   <interface>wan</interface>
>   <protocol>tcp</protocol>
>   <source>
>    <any/>
>   </source>
>   <destination>
>    <any/>
>    <port>80</port>
>   </destination>
>   <descr>Allow remote admin</descr>
>  </rule>
> If it doesn't, make it look like that.  (However, the <descr> can be 
> anything.  Now try the web admin again.  If it still fails, you are 
> not getting to m0n0wall.  It is time to look at your network.
I checked the rule and it's exactly as you described.

Then I had an idea -- I went to one of the port scan sites on the net 
and had it scan my WAN IP while I watched the firewall log. Every port 
showed in the log as having been scanned... except ports 21, 25, 80, 
135-139, 445 and 447. They never appeared in the firewall log.

I called the ISP, explained what I had done, and they hemmed and hawed, 
had me run MORE tests, then they reluctantly admitted that it might be 
something at their end. They've "escalated" the problem and will get 
back to me tomorrow.  ;-)

I guess I can understand the rationale behind that -- you don't 
indiscriminately leave your car keys on the kitchen table when you have 
a house full of young kids, so as a responsible ISP, why would you want 
to make it any easier for novices to set up a home website? (I'm not 
saying I agree, just that I can understand.)

The ISP, for those who might be interested, is warpdriveonline.com, the 
cable internet provider for US Cable in north central Colorado.

Thanks for your help in isolating the problem, Lee. I think this problem 
is resolved!

Best wishes,