Re: [m0n0wall] Multiple WAN IP's <--> NAT <--> Multiple LANs

From:	JP Aubineau <jp at netechnica dot com>
To:	Chris Buechler <cbuechler at gmail dot com>
Cc:	m0n0wall at lists dot m0n0 dot ch
Subject:	Re: [m0n0wall] Multiple WAN IP's <--> NAT <--> Multiple LANs - Help!!!
Date:	Mon, 10 Apr 2006 20:42:05 -0500
Argh...Sigh...

Hi Chris, et all..

I followed your recommendations below, and while I got part of it 
working, most of the rest is not, and I'm seeing some very strange 
behavior that I cant seem to pinpoint what the actual root cause is..

So here goes:

I configured the WAN interface (sis2) to have it's own IP - x.x.x.34; I 
was going to share .34 with VLAN10 (sis0, 10.0.10.0/24) and the LAN 
interface (sis1, 192.168.25.0/24) both via NAT, but after running into 
issues (I will describe in a little bit), I decided to let the LAN have 
it's own.

I then configured the following using your examples:

VLAN10 (sis0, 10.0.10.0/24) = .35
VLAN15 (sis0, 10.0.15.0/24) = .36
VLAN20 (sis0, 10.0.20.0/24) = .37
VLAN25 (sis0, 10.0.25.0/24) = .38
VLAN30 (sis0, 10.0.30.0/24) = .38
VLAN35 (sis0, 10.0.35.0/24) = .38
VLAN40 (sis0, 10.0.40.0/24) = .35

I also added Aliases for inbound NAT:

x.x.x.35 = "IP35"
x.x.x.36 = "IP36"
x.x.x.37 = "IP37"
x.x.x.38 = "IP38"

and lastly, I added a few inbound NAT entries (and ensured the 
appropriate firewall rules were added):

Interface	Port	->	Interface	Port
-------------------------------------------------------
x.x.x.36	21	->	10.0.15.10	21
x.x.x.38	8080	->	10.0.25.8	80
x.x.x.38	80	->	10.0.30.115	80
x.x.x.38	23	->	10.0.35.42	23


Here's where it gets strange...

#1: Directly from the m0n0wall GUI, I can ping out to any host (e.g. 
yahoo.com, google.com, etc..), and I can also resolve DNS without any issue.

#2: From the LAN interface, I can ping out to any host, resolve DNS, hit 
any web traffic, IM, it's all good...

#3: From the VLAN10 network, same as #2.

#4: From VLAN15, I can ping SOME hosts, but not others (e.g. yahoo.com = 
yes, google.com = no); I also cannot hit ANY web traffic, BUT, I can 
still do name resolution.

#5: From VLAN20,25,30,35, and 40, I cannot hit the outside world. I can 
only do DNS resolution.

#6: All interfaces can reach (ping) their respective default gateway 
(10.0.x.254)

#7: At first I setup firewall rules on each interface to block VLAN to 
VLAN traffic, and only allow access to LAN and WAN interfaces, but when 
I started seeing the aforementioned issues, I disabled all rules in each 
interface with the exception of the Allow -> Any rule to get traffic out 
(basically the same default "allow -> any" rule that is on the LAN 
interface was copied to all other VLAN interfaces. Still no luck though...

#8: The host doing all the pinging etc on each VLAN is a single laptop 
running XP Pro SP2 (windows firewall is disabled), connected (one at a 
time) to each VLAN, doing a DHCP release/renewal each time it is 
connected to ensure the client IP is refreshed.

Anyhow, I'm at a loss for what to do next... I'm not sure what is going 
wrong here...

Any suggestions are greatly appreciated...If you or someone else is 
willing to discuss via telephone, I would also be open to that as well...

Thanks in advance....





> On 3/31/06, JP Aubineau <jp at netechnica dot com> wrote:
>>
>> Onto the hard part (or at least what I cant figure out!):
>>
>> I have a block of public IP's (/29 subnet) of which I would like to
>> assign
>> individual IP's to specific VLAN's (assuming via NAT); These IP's would
>> essentially be the public gateways for each VLAN (there are several
>> hosts
>> in each LAN network that I plan to port forward services to, so a 1:1
>> host
>> NAT wouldnt work AFAIK). Some of the VLAN's would share a public IP [is
>> this possible?], as I am limited to only a /29 block of IP's.
>>
> 
> this is all possible.
> 
> I'll assume that everything works fine now, but it is all getting
> NAT'ed to the WAN interface's IP address.  That a safe assumption?  If
> not, there are other issues to iron out before attempting this
> outbound NAT configuration.
> 
> 
> First, go to the NAT screen, and the Outbound tab.  Check the enable
> advanced outbound NAT box and hit Save.  At this point your Internet
> connection will stop functioning because you won't have NAT at all
> anymore.  You need to then hit the + on that page, and add a NAT rule
> for each subnet.  I'll give you a couple examples of the rules you
> need, and you can figure out what the rest of them will be from that.
> 
> 
>>
>> LAN_0, DMZ = xxx.xxx.xxx.34
> 
> Outbound NAT screen:
> interface: WAN
> source: 192.168.8.0/24
> destination:  any
> target: xxx.xxx.xxx.34
> 
> 
>> LAN_1: = xxx.xxx.xxx.35
> 
> Outbound NAT screen:
> interface: WAN
> source: 192.168.10.0/24
> destination:  any
> target: xxx.xxx.xxx.35
> 
> 
> you get the idea.  set up all those rules and everything should work
> properly.  you can go to www.whatismyip.com from a machine on each
> VLAN to verify your configuration.
> 
> -Chris
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>