[ previous ] [ next ] [ threads ]
 
 From:  "Barth, Joshua A" <JABarth at mtech dot edu>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  1:1 NAT /24 subnet issue
 Date:  Mon, 14 Aug 2006 15:46:52 -0600
I am trying to translate a whole subnet on my Monowall, the topology is as follows:

Router----------------Monowall-------------Lan


Router interface 10.36.9.254/24
Monowall Wan interface 10.36.9.2/24
Monowall Lan interface 10.36.220.254/24

I have 10.36.20.0/24 routed to the next hop of 10.36.9.2 and wish to translate all 10.36.20.0/24
subnet requests to 10.36.220.0/24.

I have unchecked the RFC 1918 box on each interface.

This process that follows has been tried with and without proxy ARP and the topology adjustments
that are required.

I get the same outcome if I set it up either way, my firewall rules are completely open.

I try and ping say the 10.36.20.254 address in theory this should give me the LAN interface.  I see
that the ping is forwarded to the Monowall, but when I look at the Firewall state table the
translated address for the destination is 10.36.220.0.

Now I thought to myself well that won't work, there is no way to communicate with a network address.

So I try to admin the 10.36.20.254 address in my browser with no luck at all.

I then change the translation to just the 10.36.20.254/32 <----> 10.36.220.254/32, and I can admin
it in my browser from a remote host on my network as though I were on the LAN interface, it works.

So I conclude that something about the way that we enter the translations in the Monowall NAT 1:1 is
screwing it up, it appears that even though we enter the subnet mask it is only taken into
consideration to create the entry in the feedback table and is not applied into iptables.  And
therefore when we enter the host mapping it works because actually the subnet mask means nothing to
the OS.

I do not want to have to create a simple script to create the onetoone xml for each /32 mapping as
it would be ugly in the browser feedback table it should just work the way it is distributed

I can't believe that this is an issue, I am open to suggestions and hope that I am overlooking
something.  I assume that I am at somepoint because I cannot find anyone with the same issue.

Thanks in advance for all correspondence,

Joshua Barth
Montana Tech. Network Services