[ previous ] [ next ] [ threads ]
 
 From:  Mark Wass <mark dot wass at Market dash Analyst dot com>
 To:  Chris Buechler <cbuechler at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] NAT and Routed IP's
 Date:  Fri, 12 May 2006 13:09:17 +1000
Hallelujah !!!

This one was driving me nuts!

Thanks Manuel and Chris for your help on this.

What is the process from this point? Will you be releasing an update to 
m0n0wall to fix this?

Thanks again guys :-D

Mark Wass

Chris Buechler wrote:

> On 5/11/06, Mark Wass <mark dot wass at market dash analyst dot com> wrote:
>
>> Hi All
>>
>> Just thought I'd post again on this subject. See if I can get some fresh
>> eyes on it.
>>
>> *Scenario*
>> I have 2 mail servers. 1 in my LAN which is Natted from my WAN, and
>> another mail server in my DMZ on a Public IP that is routed to my WAN 
>> IP.
>>
>
> Manuel found the answer to this, from an email I sent him offlist
> because of some offlist discussions with Mark.
>
> For the sake of the archives, this is a bug.  I can't believe nobody
> else has ever discovered it...
>
> I'll paste part of Manuel's email describing this issue:
>
> -- 
> When you create "inbound NAT" entries in m0n0wall, the corresponding
> ipnat rules that are generated look like the following:
>
> rdr <iface> 0.0.0.0/0 port xx -> <internal_ip> port xx tcp
>
> So the WAN IP address is not used to match packets to the rule, but
> 0.0.0.0/0 instead, which means "any IP". That's most likely the
> reason why the RDR rule grabs all his inbound port 25 packets.
>
> I see two possible solutions:
>
> - ipnat supports 0/32 as a shortcut to say "the current IP address of
> the interface", but IIRC you can only use that as a target to NAT to
> in "map" rules - but might be worth a try anyway
>
> - change the NAT rule generator to use the current WAN IP address
> instead of 0.0.0.0/0 - the rules get reloaded when the WAN IP address
> changes anyway
>
> ipnat rules can be manually inserted and removed through exec.php
> with a command like the following:
>
> echo "rdr blabla ..." | ipnat -f -
>
> To remove an existing rule, add the "-r" flag to the ipnat command.
>
> As a workaround until the problem is fixed, one could use Server NAT
> instead of inbound NAT (i.e. create a server NAT entry for the WAN IP
> address and then use that instead of "Interface address" in the
> inbound NAT entry for SMTP). However, that server NAT entry needs to
> be created manually in config.xml since the webGUI will not allow the
> WAN IP address to be used in a Server NAT entry.
> -- 
>
> -Chris
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>
>