[ previous ] [ next ] [ threads ]
 From:  "Chris Buechler" <cbuechler at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] NAT and Routed IP's
 Date:  Thu, 11 May 2006 22:44:55 -0400
On 5/11/06, Mark Wass <mark dot wass at market dash analyst dot com> wrote:
> Hi All
> Just thought I'd post again on this subject. See if I can get some fresh
> eyes on it.
> *Scenario*
> I have 2 mail servers. 1 in my LAN which is Natted from my WAN, and
> another mail server in my DMZ on a Public IP that is routed to my WAN IP.

Manuel found the answer to this, from an email I sent him offlist
because of some offlist discussions with Mark.

For the sake of the archives, this is a bug.  I can't believe nobody
else has ever discovered it...

I'll paste part of Manuel's email describing this issue:

When you create "inbound NAT" entries in m0n0wall, the corresponding
ipnat rules that are generated look like the following:

rdr <iface> port xx -> <internal_ip> port xx tcp

So the WAN IP address is not used to match packets to the rule, but instead, which means "any IP". That's most likely the
reason why the RDR rule grabs all his inbound port 25 packets.

I see two possible solutions:

- ipnat supports 0/32 as a shortcut to say "the current IP address of
the interface", but IIRC you can only use that as a target to NAT to
in "map" rules - but might be worth a try anyway

- change the NAT rule generator to use the current WAN IP address
instead of - the rules get reloaded when the WAN IP address
changes anyway

ipnat rules can be manually inserted and removed through exec.php
with a command like the following:

echo "rdr blabla ..." | ipnat -f -

To remove an existing rule, add the "-r" flag to the ipnat command.

As a workaround until the problem is fixed, one could use Server NAT
instead of inbound NAT (i.e. create a server NAT entry for the WAN IP
address and then use that instead of "Interface address" in the
inbound NAT entry for SMTP). However, that server NAT entry needs to
be created manually in config.xml since the webGUI will not allow the
WAN IP address to be used in a Server NAT entry.