I have a problem using VLANs and/or NAT.
I've created a number of /30 VLANs, assigning one address to m0n0wall
and one to another box in each VLAN.
Pinging either way over the VLAN (m0n0wall <-> box) works fine.
For each VLAN, I've added a 1:1 NAT in m0n0wall, since the server box
has a private IP and I'd like to expose it with a public IP.
Accessing the box from the outside does not work.
Here's a tcpdump from the outside:
No Time Src Dst Seq Next Ack Flags Info
1 55.5s me BOX 0 - 0 [SYN] 2952 > http
2 55.5s BOX me 0 - 1 [SYN, ACK] http > 2952
3 55.5s me BOX 1 - 1 [ACK] 2952 > http
4 55.6s me BOX 1 407 1 [PSH, ACK] GET / HTTP
5 55.6s BOX me 1 - 407 [ACK] http > 2952
6 55.6s BOX me 1 295 407 [PSH, ACK] HTTP 200 OK
7 55.6s BOX me 295 643 407 [PSH, ACK] HTTP continuation
8 58.6s BOX me 1 643 407 [PSH, ACK] HTTP 200 OK
9 64.6s BOX me 1 643 407 [PSH, ACK] HTTP 200 OK
10 70.6s BOX me 643 - 407 [FIN, ACK]
11 70.6s me BOX 407 - 1 [ACK] 2952 > http
12 76.6s BOX me 1 643 407 [PSH, ACK] HTTP 200 OK
13 100s BOX me 1 643 407 [PSH, ACK] HTTP 200 OK
14 148s BOX me 1 643 407 [PSH, ACK] HTTP 200 OK
15 245s BOX me 1 643 407 [PSH, ACK] HTTP 200 OK
Based on all the retransmits from the box of the packet with Seq=1, it
seems to me like the ACK flag might have been stripped from packet 4
It's obvious that the box actually received packet 4, since that
packet contains the HTTP request that it's answering - but apparently
it does not see the ACK that it contains. (Or?)
I cannot SSH to the box and tcpdump from there, obviously, since SSH
exhibits odd behaviour too.
And there's no tcpdump on m0n0wall, so I cannot see traffic as it
passes through (would have been *immensely* helpful, btw).
But I can SSH to the m0n0wall and SSH from there to the server box.
When doing that, the SSH session is initialized, but then it sort of
just hangs forever without any output.
Probably the same thing that's happening with the HTTP session above,
so in conclusion it so far seems to be m0n0wall that's doing something
The server works fine when accessed through another (non-m0n0wall)