[ previous ] [ next ] [ threads ]
 
 From:  JP Aubineau <jp at netechnica dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Cc:  Chris Buechler <cbuechler at gmail dot com>
 Subject:  Re[send]: [m0n0wall] Multiple WAN IP's <--> NAT <--> Multiple LANs
 Date:  Sun, 16 Apr 2006 19:59:27 -0500
Resending again - hoping anyone can help....

JP Aubineau wrote:
> Argh...Sigh...
>
> Hi Chris, et all..
>
> I followed your recommendations below, and while I got part of it 
> working, most of the rest is not, and I'm seeing some very strange 
> behavior that I cant seem to pinpoint what the actual root cause is..
>
> So here goes:
>
> I configured the WAN interface (sis2) to have it's own IP - x.x.x.34; 
> I was going to share .34 with VLAN10 (sis0, 10.0.10.0/24) and the LAN 
> interface (sis1, 192.168.25.0/24) both via NAT, but after running into 
> issues (I will describe in a little bit), I decided to let the LAN 
> have it's own.
>
> I then configured the following using your examples:
>
> VLAN10 (sis0, 10.0.10.0/24) = .35
> VLAN15 (sis0, 10.0.15.0/24) = .36
> VLAN20 (sis0, 10.0.20.0/24) = .37
> VLAN25 (sis0, 10.0.25.0/24) = .38
> VLAN30 (sis0, 10.0.30.0/24) = .38
> VLAN35 (sis0, 10.0.35.0/24) = .38
> VLAN40 (sis0, 10.0.40.0/24) = .35
>
> I also added Aliases for inbound NAT:
>
> x.x.x.35 = "IP35"
> x.x.x.36 = "IP36"
> x.x.x.37 = "IP37"
> x.x.x.38 = "IP38"
>
> and lastly, I added a few inbound NAT entries (and ensured the 
> appropriate firewall rules were added):
>
> Interface    Port    ->    Interface    Port
> -------------------------------------------------------
> x.x.x.36    21    ->    10.0.15.10    21
> x.x.x.38    8080    ->    10.0.25.8    80
> x.x.x.38    80    ->    10.0.30.115    80
> x.x.x.38    23    ->    10.0.35.42    23
>
>
> Here's where it gets strange...
>
> #1: Directly from the m0n0wall GUI, I can ping out to any host (e.g. 
> yahoo.com, google.com, etc..), and I can also resolve DNS without any 
> issue.
>
> #2: From the LAN interface, I can ping out to any host, resolve DNS, 
> hit any web traffic, IM, it's all good...
>
> #3: From the VLAN10 network, same as #2.
>
> #4: From VLAN15, I can ping SOME hosts, but not others (e.g. yahoo.com 
> = yes, google.com = no); I also cannot hit ANY web traffic, BUT, I can 
> still do name resolution.
>
> #5: From VLAN20,25,30,35, and 40, I cannot hit the outside world. I 
> can only do DNS resolution.
>
> #6: All interfaces can reach (ping) their respective default gateway 
> (10.0.x.254)
>
> #7: At first I setup firewall rules on each interface to block VLAN to 
> VLAN traffic, and only allow access to LAN and WAN interfaces, but 
> when I started seeing the aforementioned issues, I disabled all rules 
> in each interface with the exception of the Allow -> Any rule to get 
> traffic out (basically the same default "allow -> any" rule that is on 
> the LAN interface was copied to all other VLAN interfaces. Still no 
> luck though...
>
> #8: The host doing all the pinging etc on each VLAN is a single laptop 
> running XP Pro SP2 (windows firewall is disabled), connected (one at a 
> time) to each VLAN, doing a DHCP release/renewal each time it is 
> connected to ensure the client IP is refreshed.
>
> Anyhow, I'm at a loss for what to do next... I'm not sure what is 
> going wrong here...
>
> Any suggestions are greatly appreciated...If you or someone else is 
> willing to discuss via telephone, I would also be open to that as well...
>
> Thanks in advance....
>
>
>
>
>
>> On 3/31/06, JP Aubineau <jp at netechnica dot com> wrote:
>>>
>>> Onto the hard part (or at least what I cant figure out!):
>>>
>>> I have a block of public IP's (/29 subnet) of which I would like to
>>> assign
>>> individual IP's to specific VLAN's (assuming via NAT); These IP's would
>>> essentially be the public gateways for each VLAN (there are several
>>> hosts
>>> in each LAN network that I plan to port forward services to, so a 1:1
>>> host
>>> NAT wouldnt work AFAIK). Some of the VLAN's would share a public IP [is
>>> this possible?], as I am limited to only a /29 block of IP's.
>>>
>>
>> this is all possible.
>>
>> I'll assume that everything works fine now, but it is all getting
>> NAT'ed to the WAN interface's IP address.  That a safe assumption?  If
>> not, there are other issues to iron out before attempting this
>> outbound NAT configuration.
>>
>>
>> First, go to the NAT screen, and the Outbound tab.  Check the enable
>> advanced outbound NAT box and hit Save.  At this point your Internet
>> connection will stop functioning because you won't have NAT at all
>> anymore.  You need to then hit the + on that page, and add a NAT rule
>> for each subnet.  I'll give you a couple examples of the rules you
>> need, and you can figure out what the rest of them will be from that.
>>
>>
>>>
>>> LAN_0, DMZ = xxx.xxx.xxx.34
>>
>> Outbound NAT screen:
>> interface: WAN
>> source: 192.168.8.0/24
>> destination:  any
>> target: xxx.xxx.xxx.34
>>
>>
>>> LAN_1: = xxx.xxx.xxx.35
>>
>> Outbound NAT screen:
>> interface: WAN
>> source: 192.168.10.0/24
>> destination:  any
>> target: xxx.xxx.xxx.35
>>
>>
>> you get the idea.  set up all those rules and everything should work
>> properly.  you can go to www.whatismyip.com from a machine on each
>> VLAN to verify your configuration.
>>
>> -Chris
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>
>
> On 3/31/06, JP Aubineau <jp at netechnica dot com> wrote:
> Hi All,
>
> I've been searching the lists and havent been able to find a concrete
> answer as to solve a configuration problem I'm having with multiple WAN
> IP's being NAT'ed to multiple internal VLAN'ed networks. The closest I've
> been able to find is a HOWTO from Chris Beuchler that gets me essentially
> 1/3rd way through [on the LAN side]
> (http://wiki.m0n0.ch/wikka.php?wakka=VLAN), but I am stuck on the m0n0
> config. I'm fairly new to VLAN and Routing concepts in general so please
> be easy on me :-)
>
>
> My hardware is for all purposes identical to what Chris Buechler detailed
> in  his guide. I have a soekris net4801-50 box running m0n0 1.21 serving
> as the router, a Cisco 2924XL L2 switch attached to the sis1 interface on
> the soekris box, another 8 port unmanaged POE switch attached to the sis2
> interface (for DMZ'd wireless AP's), and the sis0 interface attached to my
> ISP's router. The cisco switch in my setup is configured nearly identical
> to the guide's switch config with the exception that I have a few more
> VLAN's assigned. All VLAN's are trunked through port 24 (which as stated
> above is connected to sis1 on the Soekris box)
>
> Onto the hard part (or at least what I cant figure out!):
>
> I have a block of public IP's (/29 subnet) of which I would like to assign
> individual IP's to specific VLAN's (assuming via NAT); These IP's would
> essentially be the public gateways for each VLAN (there are several hosts
> in each LAN network that I plan to port forward services to, so a 1:1 host
> NAT wouldnt work AFAIK). Some of the VLAN's would share a public IP [is
> this possible?], as I am limited to only a /29 block of IP's.
>
> Public IP info:
> inet: xxx.xxx.xxx.33 /29
> usable range: xxx.xxx.xxx.34 - 38
>
> On the Soekris I have the following setup:
>
> WAN_0: sis0 (xxx.xxx.xxx.34)
> DMZ: sis2 (192.168.9.254)
> LAN_0: sis1 (192.168.8.254)
> LAN_1: VLAN 10 on sis1 (192.168.10.254)
> LAN_2: VLAN 15 on sis1 (192.168.15.254)
> LAN_3: VLAN 20 on sis1 (192.168.20.254)
> LAN_4: VLAN 25 on sis1 (192.168.25.254)
> LAN_5: VLAN 30 on sis1 (192.168.30.254)
> LAN_6: VLAN 35 on sis1 (192.168.35.254)
>
> the DMZ network is for a wireless captive portal system. All the other
> LAN's (1-6) are for separate networks; some of which need their own public
> ip address, others can share:
>
> LAN_0, DMZ = xxx.xxx.xxx.34
> LAN_1: = xxx.xxx.xxx.35
> LAN_2: = xxx.xxx.xxx.36
> LAN_3,LAN_5,LAN_6 = xxx.xxx.xxx.37
> LAN_4: = xxx.xxx.xxx.38
>
>
> So, given the above information, would someone have an idea of how to set
> this up? The main reason for this setup is that I want to replace an
> existing cisco 2610 router [that essentially is doing the above
> configuration], with the Soekris / m0n0wall solution, as it adds VPN,
> captive portal, and traffic shaping functionality to the total solution.
>
> Any help would be greatly appreciated,
>
> Thank you,
>
> - JP