[ previous ] [ next ] [ threads ]
 
 From:  NERD341 at softhome dot net
 To:  "Brett Woodruff" <brett at skyways dot us>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: DMZ Issues for the 400th Time
 Date:  Thu, 20 Apr 2006 08:26:55 -0600 
Thanks for the help guy’s.  I read that about using the external address 
from inside.  So I have been using my Neighbor internet and trying from the 
office.  (Hints why I allow remote admin from the WAN interface so I don’t 
have to keep switching.) 

I also can’t via my Firewall Log (Diag>Log>Firewall) it just loads for like 
5 minutes then times out.  But I have Wall Watcher running and I see a lot 
of blocks from Random IP’s and ports but not the one I am trying to access 
at the time.  But it is blocking random hits on all address 154-158 so it is 
routing the traffic right.  I am also able to ping the web server from the 
M0n0Wall so I know there is traffic there.  So I assume it is still a rule 
issue ; Here is the list of all the rules I have on the DMZ interface: 

TCP | DMZ net | 80 (HTTP)|  * | 80 (HTTP)
TCP | * | * | 192.168.10.100 | 80 (HTTP)
TCP | * | 80 (HTTP) | ! LAN net | 80 (HTTP) 


Brett Woodruff writes: 

> 
> Looks like your setting it up right on the DMZ...  But there is one thing
> your not realizing....  You can't access your internal servers by using your
> external address, while your inside the local network.  As long as your
> behind the firewall too, you have to use the private address...  If you can
> get an internet connection from out site the firewall, Ie. Neighbor, dialup,
> etc. you should be able to access you internal servers from the external
> address... as you are trying to do... 
> 
> Brett
> -----Original Message-----
> From: dasz [mailto:daszylstra at comcast dot net] 
> Sent: Wednesday, April 19, 2006 10:37 PM
> To: NERD341 at softhome dot net; m0n0wall at lists dot m0n0 dot ch
> Subject: Re: [m0n0wall] DMZ Issues for the 400th Time  
> 
> 
> ----- Original Message ----- 
> From: <NERD341 at softhome dot net>
> To: <m0n0wall at lists dot m0n0 dot ch>
> Sent: Wednesday, April 19, 2006 10:32 PM
> Subject: [m0n0wall] DMZ Issues for the 400th Time 
> 
> 
>>I have been reading the M0n0Wall mailing list for sometime and still can't
>>find a fix for my problem; I am trying to setup a DMZ.  I know this has
>>been asked a million times but I must be missing something and would
>>appreciate a hand.  Here is a little back store on my network.  I have a
>>Generic-PC setup (P3 with a 4 gig HD 512 MB of Ram) with 5 network cards.
>>I have 5 static IP <X.X.X.154-158> addresses I would like to use for
>>Servers.  I currently have my servers on the outside of my firewall to be
>>operational.
>> Here is my network diagram.
>> WAN (X.X.X.154)
>> LAN (192.168.1.1)
>>  <DHCP - PC's and Other IP Random Stuff)
>> DMZ (192.168.10.1)
>>   <192.168.10.100> - Server 1 (WWW1 and Mail) (X.X.X.155)
>>   <192.168.10.110> - Server 2 (WWW2) (X.X.X.156)
>>   <192.168.10.120> - Server 3 (Dev) (X.X.X.157)
>>   <192.168.10.130> - Server 4 (Other) (X.X.X.158)
>> WLAN (192.168.2.1)
>>   <DHCP - Private Wireless>
>> WLAN_PUBLIC (192.168.5.1)
>>    <DHCP - Public Wireless>
>> I have PROXY ARP setup to lessen for IP X.X.X.155-158.  I have capture
>> portal active on WLAN_PUBLIC and Outbound NAT setup for LAN, WLAN, and
>> WLAN_PUBLIC.  1:1 NAT setup to the above config.
>> Now this is where I get a little confusted . Which interface do I need to
>> set the rules up on to allow traffic to my servers.  I have been testing
>> this by allowing HTTP to Server 1, Rule Like TCP | * | 80 |
>> 192.168.10.100| 80 on the DMZ interface.  Is this RIGHT?  I am unable to
>> access the server by using the IP .154.  I did add a rule of  TCP | * | *
>> |  X.X.X.154 | 8080 so I could remote admin the firewall for testing and
>> this works file.
>> Any help on getting this working would be greatly appreciated.
> ----------------------------------------------------------------------------
> ------- 
> 
> Try the rule with TCP | * | * | 192.168.10.100| 80    (the http client
> doesn't normally use source port 80, just destination port 80) 
> 
> Also when I'm debugging my config I found the firewall log is very
> helpful -- i.e. if you test http access that gets denied the log should show
> the event with source IP/port and destination IP/port . . . . 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch 
> 
>  
> 
>  
> 
> -- 
> No virus found in this incoming message.
> Checked by AVG Free Edition.
> Version: 7.1.385 / Virus Database: 268.4.4/318 - Release Date: 4/18/2006 
> 
>  
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch 
>