On 4/7/06, Ernesto Vega <ernesvega at gmail dot com> wrote:
>
> > If you remove the 1:1 NAT temporarily, can that host get out to the Internet?
> >
>
> yes, I can.

Ok, good, that eliminates several possibilities.


>
> It´s seems to me that rules are working fine, but not the 1:1 NAT. If
> i stop it i can reach out the  internet but not the other way. Given
> the fact that nat occurs prior to firewalling my rules are:
>

Rules look fine, for testing purposes (long term, of course, I
wouldn't leave it wide open like that.  But leave it that way for
now).


>
> what am i doing wrong ???
>

If the server can get out without the 1:1 NAT, that leaves only a few
possiblities.

1.  The 1:1 public static IP isn't defined in proxy ARP.
2.  The 1:1 public static IP is incorrect (not assigned to you by your
ISP, or some other ISP issue)
3.  If that public IP was used previously, the previous MAC address
could still be cached by something upstream from your m0n0wall.  Reset
any routers, modems, etc. upstream from you.
4.  Something in your configuration isn't as you have described it. 
If you get to this point, post back with your config.xml and maybe we
can see what you have wrong.  (you can email it to me offlist if you
don't want to forever publicly archive it on google and a number of
other sources)


> shoud i use static routes instead of nat ???
>

No, no, no.  You should have no static routes in this configuration. 
If you have entered any, remove them all.  That could be messing
things up.

-Chris