[ previous ] [ next ] [ threads ]
 From:  "Molle Bestefich" <molle dot bestefich at gmail dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  problem when using VLANs and NAT
 Date:  Thu, 8 Jun 2006 18:38:45 +0200

I have a problem using VLANs and/or NAT.

I've created a number of /30 VLANs, assigning one address to m0n0wall
and one to another box in each VLAN.

Pinging either way over the VLAN (m0n0wall <-> box) works fine.

For each VLAN, I've added a 1:1 NAT in m0n0wall, since the server box
has a private IP and I'd like to expose it with a public IP.

Accessing the box from the outside does not work.

Here's a tcpdump from the outside:

No   Time    Src   Dst   Seq   Next   Ack   Flags        Info
1    55.5s   me    BOX   0     -      0     [SYN]        2952 > http
2    55.5s   BOX   me    0     -      1     [SYN, ACK]   http > 2952
3    55.5s   me    BOX   1     -      1     [ACK]        2952 > http
4    55.6s   me    BOX   1     407    1     [PSH, ACK]   GET / HTTP
5    55.6s   BOX   me    1     -      407   [ACK]        http > 2952
6    55.6s   BOX   me    1     295    407   [PSH, ACK]   HTTP 200 OK
7    55.6s   BOX   me    295   643    407   [PSH, ACK]   HTTP continuation
8    58.6s   BOX   me    1     643    407   [PSH, ACK]   HTTP 200 OK
9    64.6s   BOX   me    1     643    407   [PSH, ACK]   HTTP 200 OK
10   70.6s   BOX   me    643   -      407   [FIN, ACK]
11   70.6s   me    BOX   407   -      1     [ACK]        2952 > http
12   76.6s   BOX   me    1     643    407   [PSH, ACK]   HTTP 200 OK
13    100s   BOX   me    1     643    407   [PSH, ACK]   HTTP 200 OK
14    148s   BOX   me    1     643    407   [PSH, ACK]   HTTP 200 OK
15    245s   BOX   me    1     643    407   [PSH, ACK]   HTTP 200 OK

Based on all the retransmits from the box of the packet with Seq=1, it
seems to me like the ACK flag might have been stripped from packet 4
by m0n0wall?

It's obvious that the box actually received packet 4, since that
packet contains the HTTP request that it's answering - but apparently
it does not see the ACK that it contains.  (Or?)

I cannot SSH to the box and tcpdump from there, obviously, since SSH
exhibits odd behaviour too.
And there's no tcpdump on m0n0wall, so I cannot see traffic as it
passes through (would have been *immensely* helpful, btw).

But I can SSH to the m0n0wall and SSH from there to the server box.
When doing that, the SSH session is initialized, but then it sort of
just hangs forever without any output.
Probably the same thing that's happening with the HTTP session above,
so in conclusion it so far seems to be m0n0wall that's doing something

The server works fine when accessed through another (non-m0n0wall)
firewall, btw.