[ previous ] [ next ] [ threads ]
 
 From:  "James W. McKeand" <james at mckeand dot biz>
 To:  "Molle Bestefich" <molle dot bestefich at gmail dot com>
 Cc:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] Re: Can't NAT on m0n0wall.
 Date:  Wed, 21 Jun 2006 11:34:02 -0500
Molle Bestefich wrote:
> James W. McKeand wrote:
>> When you say you have to enter two rules, are you referring to
>> having to add the NAT rule and the firewall rule? 
> 
> No, I was talking solely about the rulebase for the filter.
> 
>> If so, without checking the "auto add firewall rule" when you create
>> the Inbound NAT rule, you are correct you will need to add a
>> firewall rule separately.  
> 
> I'm not sure what this "auto add firewall rule" you speak of is or
> should do. 
> 
> I'm using 1:1 NAT on /32 addresses on m0n0wall 1.22.  I see no such
> option on the NAT overview page or in the NAT rule editor.

What I am referring to is when you create an Inbound NAT rule, at the
bottom of the form there is a checkbox to "auto add firewall rule". This
checkbox is empty by default. If you do not check it you have to add the
firewall rule manually. Firewall and NAT rules are handled separately on
m0n0wall. Remember, the NAT is handled first, so the destination of the
firewall rule is the internal IP.

For example:

Mail Server IP: 192.168.1.10

NAT rule for SMTP would be:
  Action:  Pass
  Interface:  WAN
  Protocol:  TCP
  Source
    Type:  any
    Source port range  from:  any
                         to:  any
  Destination
    Type:  Single host or alias
    Address:  192.168.1.10 
    Destination port range  from:  SMTP
                              to:  SMTP
  Log:  Log packets that are handled by this rule if you want...
  Description:  Enter a description here for your reference (not parsed)

Substitute whatever service you are trying to provide (http/s, ftp,
etc.)

In the case of 1:1 NAT, I believe you have to manually enter the
firewall rule (by default, the firewall rules do not allow any inbound
traffic to 1:1 NAT mappings). You may also need Proxy ARP.

_________________________________
James W. McKeand