Resending again - hoping anyone can help....
JP Aubineau wrote:
> Hi Chris, et all..
> I followed your recommendations below, and while I got part of it
> working, most of the rest is not, and I'm seeing some very strange
> behavior that I cant seem to pinpoint what the actual root cause is..
> So here goes:
> I configured the WAN interface (sis2) to have it's own IP - x.x.x.34;
> I was going to share .34 with VLAN10 (sis0, 10.0.10.0/24) and the LAN
> interface (sis1, 192.168.25.0/24) both via NAT, but after running into
> issues (I will describe in a little bit), I decided to let the LAN
> have it's own.
> I then configured the following using your examples:
> VLAN10 (sis0, 10.0.10.0/24) = .35
> VLAN15 (sis0, 10.0.15.0/24) = .36
> VLAN20 (sis0, 10.0.20.0/24) = .37
> VLAN25 (sis0, 10.0.25.0/24) = .38
> VLAN30 (sis0, 10.0.30.0/24) = .38
> VLAN35 (sis0, 10.0.35.0/24) = .38
> VLAN40 (sis0, 10.0.40.0/24) = .35
> I also added Aliases for inbound NAT:
> x.x.x.35 = "IP35"
> x.x.x.36 = "IP36"
> x.x.x.37 = "IP37"
> x.x.x.38 = "IP38"
> and lastly, I added a few inbound NAT entries (and ensured the
> appropriate firewall rules were added):
> Interface Port -> Interface Port
> x.x.x.36 21 -> 10.0.15.10 21
> x.x.x.38 8080 -> 10.0.25.8 80
> x.x.x.38 80 -> 10.0.30.115 80
> x.x.x.38 23 -> 10.0.35.42 23
> Here's where it gets strange...
> #1: Directly from the m0n0wall GUI, I can ping out to any host (e.g.
> yahoo.com, google.com, etc..), and I can also resolve DNS without any
> #2: From the LAN interface, I can ping out to any host, resolve DNS,
> hit any web traffic, IM, it's all good...
> #3: From the VLAN10 network, same as #2.
> #4: From VLAN15, I can ping SOME hosts, but not others (e.g. yahoo.com
> = yes, google.com = no); I also cannot hit ANY web traffic, BUT, I can
> still do name resolution.
> #5: From VLAN20,25,30,35, and 40, I cannot hit the outside world. I
> can only do DNS resolution.
> #6: All interfaces can reach (ping) their respective default gateway
> #7: At first I setup firewall rules on each interface to block VLAN to
> VLAN traffic, and only allow access to LAN and WAN interfaces, but
> when I started seeing the aforementioned issues, I disabled all rules
> in each interface with the exception of the Allow -> Any rule to get
> traffic out (basically the same default "allow -> any" rule that is on
> the LAN interface was copied to all other VLAN interfaces. Still no
> luck though...
> #8: The host doing all the pinging etc on each VLAN is a single laptop
> running XP Pro SP2 (windows firewall is disabled), connected (one at a
> time) to each VLAN, doing a DHCP release/renewal each time it is
> connected to ensure the client IP is refreshed.
> Anyhow, I'm at a loss for what to do next... I'm not sure what is
> going wrong here...
> Any suggestions are greatly appreciated...If you or someone else is
> willing to discuss via telephone, I would also be open to that as well...
> Thanks in advance....
>> On 3/31/06, JP Aubineau <jp at netechnica dot com> wrote:
>>> Onto the hard part (or at least what I cant figure out!):
>>> I have a block of public IP's (/29 subnet) of which I would like to
>>> individual IP's to specific VLAN's (assuming via NAT); These IP's would
>>> essentially be the public gateways for each VLAN (there are several
>>> in each LAN network that I plan to port forward services to, so a 1:1
>>> NAT wouldnt work AFAIK). Some of the VLAN's would share a public IP [is
>>> this possible?], as I am limited to only a /29 block of IP's.
>> this is all possible.
>> I'll assume that everything works fine now, but it is all getting
>> NAT'ed to the WAN interface's IP address. That a safe assumption? If
>> not, there are other issues to iron out before attempting this
>> outbound NAT configuration.
>> First, go to the NAT screen, and the Outbound tab. Check the enable
>> advanced outbound NAT box and hit Save. At this point your Internet
>> connection will stop functioning because you won't have NAT at all
>> anymore. You need to then hit the + on that page, and add a NAT rule
>> for each subnet. I'll give you a couple examples of the rules you
>> need, and you can figure out what the rest of them will be from that.
>>> LAN_0, DMZ = xxx.xxx.xxx.34
>> Outbound NAT screen:
>> interface: WAN
>> source: 192.168.8.0/24
>> destination: any
>> target: xxx.xxx.xxx.34
>>> LAN_1: = xxx.xxx.xxx.35
>> Outbound NAT screen:
>> interface: WAN
>> source: 192.168.10.0/24
>> destination: any
>> target: xxx.xxx.xxx.35
>> you get the idea. set up all those rules and everything should work
>> properly. you can go to www.whatismyip.com from a machine on each
>> VLAN to verify your configuration.
>> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> On 3/31/06, JP Aubineau <jp at netechnica dot com> wrote:
> Hi All,
> I've been searching the lists and havent been able to find a concrete
> answer as to solve a configuration problem I'm having with multiple WAN
> IP's being NAT'ed to multiple internal VLAN'ed networks. The closest I've
> been able to find is a HOWTO from Chris Beuchler that gets me essentially
> 1/3rd way through [on the LAN side]
> (http://wiki.m0n0.ch/wikka.php?wakka=VLAN), but I am stuck on the m0n0
> config. I'm fairly new to VLAN and Routing concepts in general so please
> be easy on me :-)
> My hardware is for all purposes identical to what Chris Buechler detailed
> in his guide. I have a soekris net4801-50 box running m0n0 1.21 serving
> as the router, a Cisco 2924XL L2 switch attached to the sis1 interface on
> the soekris box, another 8 port unmanaged POE switch attached to the sis2
> interface (for DMZ'd wireless AP's), and the sis0 interface attached to my
> ISP's router. The cisco switch in my setup is configured nearly identical
> to the guide's switch config with the exception that I have a few more
> VLAN's assigned. All VLAN's are trunked through port 24 (which as stated
> above is connected to sis1 on the Soekris box)
> Onto the hard part (or at least what I cant figure out!):
> I have a block of public IP's (/29 subnet) of which I would like to assign
> individual IP's to specific VLAN's (assuming via NAT); These IP's would
> essentially be the public gateways for each VLAN (there are several hosts
> in each LAN network that I plan to port forward services to, so a 1:1 host
> NAT wouldnt work AFAIK). Some of the VLAN's would share a public IP [is
> this possible?], as I am limited to only a /29 block of IP's.
> Public IP info:
> inet: xxx.xxx.xxx.33 /29
> usable range: xxx.xxx.xxx.34 - 38
> On the Soekris I have the following setup:
> WAN_0: sis0 (xxx.xxx.xxx.34)
> DMZ: sis2 (192.168.9.254)
> LAN_0: sis1 (192.168.8.254)
> LAN_1: VLAN 10 on sis1 (192.168.10.254)
> LAN_2: VLAN 15 on sis1 (192.168.15.254)
> LAN_3: VLAN 20 on sis1 (192.168.20.254)
> LAN_4: VLAN 25 on sis1 (192.168.25.254)
> LAN_5: VLAN 30 on sis1 (192.168.30.254)
> LAN_6: VLAN 35 on sis1 (192.168.35.254)
> the DMZ network is for a wireless captive portal system. All the other
> LAN's (1-6) are for separate networks; some of which need their own public
> ip address, others can share:
> LAN_0, DMZ = xxx.xxx.xxx.34
> LAN_1: = xxx.xxx.xxx.35
> LAN_2: = xxx.xxx.xxx.36
> LAN_3,LAN_5,LAN_6 = xxx.xxx.xxx.37
> LAN_4: = xxx.xxx.xxx.38
> So, given the above information, would someone have an idea of how to set
> this up? The main reason for this setup is that I want to replace an
> existing cisco 2610 router [that essentially is doing the above
> configuration], with the Soekris / m0n0wall solution, as it adds VPN,
> captive portal, and traffic shaping functionality to the total solution.
> Any help would be greatly appreciated,
> Thank you,
> - JP