|
||||||||||
Resending again - hoping anyone can help.... JP Aubineau wrote: > Argh...Sigh... > > Hi Chris, et all.. > > I followed your recommendations below, and while I got part of it > working, most of the rest is not, and I'm seeing some very strange > behavior that I cant seem to pinpoint what the actual root cause is.. > > So here goes: > > I configured the WAN interface (sis2) to have it's own IP - x.x.x.34; > I was going to share .34 with VLAN10 (sis0, 10.0.10.0/24) and the LAN > interface (sis1, 192.168.25.0/24) both via NAT, but after running into > issues (I will describe in a little bit), I decided to let the LAN > have it's own. > > I then configured the following using your examples: > > VLAN10 (sis0, 10.0.10.0/24) = .35 > VLAN15 (sis0, 10.0.15.0/24) = .36 > VLAN20 (sis0, 10.0.20.0/24) = .37 > VLAN25 (sis0, 10.0.25.0/24) = .38 > VLAN30 (sis0, 10.0.30.0/24) = .38 > VLAN35 (sis0, 10.0.35.0/24) = .38 > VLAN40 (sis0, 10.0.40.0/24) = .35 > > I also added Aliases for inbound NAT: > > x.x.x.35 = "IP35" > x.x.x.36 = "IP36" > x.x.x.37 = "IP37" > x.x.x.38 = "IP38" > > and lastly, I added a few inbound NAT entries (and ensured the > appropriate firewall rules were added): > > Interface Port -> Interface Port > ------------------------------------------------------- > x.x.x.36 21 -> 10.0.15.10 21 > x.x.x.38 8080 -> 10.0.25.8 80 > x.x.x.38 80 -> 10.0.30.115 80 > x.x.x.38 23 -> 10.0.35.42 23 > > > Here's where it gets strange... > > #1: Directly from the m0n0wall GUI, I can ping out to any host (e.g. > yahoo.com, google.com, etc..), and I can also resolve DNS without any > issue. > > #2: From the LAN interface, I can ping out to any host, resolve DNS, > hit any web traffic, IM, it's all good... > > #3: From the VLAN10 network, same as #2. > > #4: From VLAN15, I can ping SOME hosts, but not others (e.g. yahoo.com > = yes, google.com = no); I also cannot hit ANY web traffic, BUT, I can > still do name resolution. > > #5: From VLAN20,25,30,35, and 40, I cannot hit the outside world. I > can only do DNS resolution. > > #6: All interfaces can reach (ping) their respective default gateway > (10.0.x.254) > > #7: At first I setup firewall rules on each interface to block VLAN to > VLAN traffic, and only allow access to LAN and WAN interfaces, but > when I started seeing the aforementioned issues, I disabled all rules > in each interface with the exception of the Allow -> Any rule to get > traffic out (basically the same default "allow -> any" rule that is on > the LAN interface was copied to all other VLAN interfaces. Still no > luck though... > > #8: The host doing all the pinging etc on each VLAN is a single laptop > running XP Pro SP2 (windows firewall is disabled), connected (one at a > time) to each VLAN, doing a DHCP release/renewal each time it is > connected to ensure the client IP is refreshed. > > Anyhow, I'm at a loss for what to do next... I'm not sure what is > going wrong here... > > Any suggestions are greatly appreciated...If you or someone else is > willing to discuss via telephone, I would also be open to that as well... > > Thanks in advance.... > > > > > >> On 3/31/06, JP Aubineau <jp at netechnica dot com> wrote: >>> >>> Onto the hard part (or at least what I cant figure out!): >>> >>> I have a block of public IP's (/29 subnet) of which I would like to >>> assign >>> individual IP's to specific VLAN's (assuming via NAT); These IP's would >>> essentially be the public gateways for each VLAN (there are several >>> hosts >>> in each LAN network that I plan to port forward services to, so a 1:1 >>> host >>> NAT wouldnt work AFAIK). Some of the VLAN's would share a public IP [is >>> this possible?], as I am limited to only a /29 block of IP's. >>> >> >> this is all possible. >> >> I'll assume that everything works fine now, but it is all getting >> NAT'ed to the WAN interface's IP address. That a safe assumption? If >> not, there are other issues to iron out before attempting this >> outbound NAT configuration. >> >> >> First, go to the NAT screen, and the Outbound tab. Check the enable >> advanced outbound NAT box and hit Save. At this point your Internet >> connection will stop functioning because you won't have NAT at all >> anymore. You need to then hit the + on that page, and add a NAT rule >> for each subnet. I'll give you a couple examples of the rules you >> need, and you can figure out what the rest of them will be from that. >> >> >>> >>> LAN_0, DMZ = xxx.xxx.xxx.34 >> >> Outbound NAT screen: >> interface: WAN >> source: 192.168.8.0/24 >> destination: any >> target: xxx.xxx.xxx.34 >> >> >>> LAN_1: = xxx.xxx.xxx.35 >> >> Outbound NAT screen: >> interface: WAN >> source: 192.168.10.0/24 >> destination: any >> target: xxx.xxx.xxx.35 >> >> >> you get the idea. set up all those rules and everything should work >> properly. you can go to www.whatismyip.com from a machine on each >> VLAN to verify your configuration. >> >> -Chris >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch >> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch >> > > On 3/31/06, JP Aubineau <jp at netechnica dot com> wrote: > Hi All, > > I've been searching the lists and havent been able to find a concrete > answer as to solve a configuration problem I'm having with multiple WAN > IP's being NAT'ed to multiple internal VLAN'ed networks. The closest I've > been able to find is a HOWTO from Chris Beuchler that gets me essentially > 1/3rd way through [on the LAN side] > (http://wiki.m0n0.ch/wikka.php?wakka=VLAN), but I am stuck on the m0n0 > config. I'm fairly new to VLAN and Routing concepts in general so please > be easy on me :-) > > > My hardware is for all purposes identical to what Chris Buechler detailed > in his guide. I have a soekris net4801-50 box running m0n0 1.21 serving > as the router, a Cisco 2924XL L2 switch attached to the sis1 interface on > the soekris box, another 8 port unmanaged POE switch attached to the sis2 > interface (for DMZ'd wireless AP's), and the sis0 interface attached to my > ISP's router. The cisco switch in my setup is configured nearly identical > to the guide's switch config with the exception that I have a few more > VLAN's assigned. All VLAN's are trunked through port 24 (which as stated > above is connected to sis1 on the Soekris box) > > Onto the hard part (or at least what I cant figure out!): > > I have a block of public IP's (/29 subnet) of which I would like to assign > individual IP's to specific VLAN's (assuming via NAT); These IP's would > essentially be the public gateways for each VLAN (there are several hosts > in each LAN network that I plan to port forward services to, so a 1:1 host > NAT wouldnt work AFAIK). Some of the VLAN's would share a public IP [is > this possible?], as I am limited to only a /29 block of IP's. > > Public IP info: > inet: xxx.xxx.xxx.33 /29 > usable range: xxx.xxx.xxx.34 - 38 > > On the Soekris I have the following setup: > > WAN_0: sis0 (xxx.xxx.xxx.34) > DMZ: sis2 (192.168.9.254) > LAN_0: sis1 (192.168.8.254) > LAN_1: VLAN 10 on sis1 (192.168.10.254) > LAN_2: VLAN 15 on sis1 (192.168.15.254) > LAN_3: VLAN 20 on sis1 (192.168.20.254) > LAN_4: VLAN 25 on sis1 (192.168.25.254) > LAN_5: VLAN 30 on sis1 (192.168.30.254) > LAN_6: VLAN 35 on sis1 (192.168.35.254) > > the DMZ network is for a wireless captive portal system. All the other > LAN's (1-6) are for separate networks; some of which need their own public > ip address, others can share: > > LAN_0, DMZ = xxx.xxx.xxx.34 > LAN_1: = xxx.xxx.xxx.35 > LAN_2: = xxx.xxx.xxx.36 > LAN_3,LAN_5,LAN_6 = xxx.xxx.xxx.37 > LAN_4: = xxx.xxx.xxx.38 > > > So, given the above information, would someone have an idea of how to set > this up? The main reason for this setup is that I want to replace an > existing cisco 2610 router [that essentially is doing the above > configuration], with the Soekris / m0n0wall solution, as it adds VPN, > captive portal, and traffic shaping functionality to the total solution. > > Any help would be greatly appreciated, > > Thank you, > > - JP |