[ previous ] [ next ] [ threads ]
 
 From:  "Joel Cruz" <jcruz at guess dot com dot ph>
 To:  "'James W. McKeand'" <james at mckeand dot biz>
 Cc:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] N/A
 Date:  Tue, 22 Aug 2006 13:18:13 +0800 
James.

Why I cannot ping the IP that I put in ServerNAT? For example 

Server NAT

Public IP	Description
210.1.x.a	Mail Server
210.1.x.b	DNS Server
210.1.x.c	Proxy Server

the IP of the Proxy that configure in Server NAT, I cannot ping it using
some website that has a ping utility? Is there any configuration in rule
that I miss? 



-----Original Message-----
From: James W. McKeand [mailto:james at mckeand dot biz] 
Sent: Saturday, August 19, 2006 10:15 PM
To: m0n0wall at lists dot m0n0 dot ch
Subject: RE: [m0n0wall] N/A

I am not sure I understand what you are trying to accomplish.

You may not be able to "ping" but do the services work? Can you telnet
to port 25 of the public IP assigned to the mail server? Can you use Dig
(or NSLookup) from a remote machine to query the DNS?

You will not be able to "ping" the public IPs from the LAN. This is
called the classic "LAN-NAT" issue. See:
http://doc.m0n0.ch/handbook-single/#id2610631

Please reply to list (i.e. m0n0wall at lists dot m0n0 dot ch)

_________________________________
James W. McKeand


-----Original Message-----
From: Joel Cruz [mailto:jcruz at guess dot com dot ph] 
Sent: Saturday, August 19, 2006 2:55 AM
To: James W. McKeand
Subject: RE: [m0n0wall] N/A

James,

I try your follow what you've said and this is now my configuration

Aliases

Mail	192.168.2.a mail server
DNS	192.168.2.b	DNS server
Proxy	192.168.2.c proxy server

Server NAT

Public IP	Description
210.1.x.a	Mail Server
210.1.x.b	DNS Server
210.1.x.c	Proxy Server

Inbound NAT

If		Proto	Ext.	NAT	Int.	Description
210.1.x.a	TCP	SMTP	Mail	SMTP	Mail Server
210.1.x.b	TCP	DNS	Dns	DNS	DNS Server

I add rule in DMZ to ping outside the web my 3 server (dns, mail and
proxy)
but I noticed that when I try to ping yahoo in my mail and dns in my
proxy I
cannot ping yahoo unless I stop mail or dns to ping yahoo vise versa.
And
also I cannot ping the aliases or my extra public ip outside the web. Is
their any configuration that I miss?





-----Original Message-----
From: James W. McKeand [mailto:james at mckeand dot biz] 
Sent: Friday, August 18, 2006 10:19 PM
To: Joel Cruz
Cc: m0n0wall at lists dot m0n0 dot ch
Subject: RE: [m0n0wall] N/A

Joel Cruz wrote:
> I have 3 server mail, dns and proxy (all running in linux). We are
> the one who host our mail and dns server as of now we don't have
> firewall for the three server only the firewall that embedded in
> linux. My plan is to put first the monowall in front of my 3 servers.
> Just like this 
> 
> Wan--> monowall-->private
> 	    |
> 	    |
> 	    Dmz
> 
> 
> I setup the monowall in P4 2.66Mghz 4G, 128MB memory. This is my
> configuration
> 
> Wan = dhcp
> Lan = 192.168.1.x/24
> DMZ = 192.168.2.x/24
> 
> Rules is on default configurations.
> 
> NAT:
> 
> Inbound
> Wan	TCP	SMTP	192.168.2.x	SMTP	description
> Wan	TCP	HTTP	192.168.2.x HTTP	description
> Wan	TCP	DNS	192.168.2.x	DNS	description
> 
> 
> Aliases
> 
> Mail	210.1.x.x 	mail server
> Dns	210.1.x.x	dns server
> Proxy 210.1.x.x	proxy server

Like I said Aliases are for creating rules. Your Aliases should be like:

Mail	192.168.2.a mail server
DNS	192.168.2.b	DNS server
Proxy	192.168.2.c proxy server

I assume that you have multiple public IPs and want to use public IPs
for these machines. To include the additional Public IPs you will need
to add Server NAT entries. They will look like:

Public IP	Description
210.1.x.a	Mail Server
210.1.x.b	DNS Server
210.1.x.c	Proxy Server

Then you can create Inbound NAT rules like:
If		Proto	Ext.	NAT	Int.	Description
210.1.x.a	TCP	SMTP	Mail	SMTP	Mail Server
210.1.x.b	TCP	DNS	Dns	DNS	DNS Server
 etc.
(notes: 1. Mail & DNS are aliases 2. Check Auto create Firewall rule)
 
> Prob 1: From my proxy when I try to ping the gateway request time out
> but in lan when I try to ping the ip the proxy it will reply. I
> cannot ping 
> from DMZ to gateway ip which is the ip of monowall

I am assuming that the IP of the LAN interface is 192.168.1.1 and the IP
of the DMZ interface is 192.168.2.1.

You should be able to ping 192.168.2.1 from 192.168.2.c. 
You should not be able to ping 192.168.1.1 from 192.168.2.c (unless you
added firewall rules)

You should be able to ping 192.168.2.1 from a 192.168.1.x address
You should be able to ping 192.168.1.1 from a 192.168.1.x address

> Prob 2: My aliases for example 210.1.x.x I cannot ping outside the
> web I tried some website that have a ping tool. I have to see the IP
> of My aliases outside the web even the aliases that assign as the ip
> of my 
> mail.

If you setup the Server NAT like above AND you add the appropriate
firewall rules, you should be able to ping your NATed servers.

In the future please respond to the list.

_________________________________
James W. McKeand



---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch


-- 
This message has been scanned for viruses and
dangerous content by Diversion Industries Inc. 
believed to be clean.


-- 
This message has been scanned for viruses and
dangerous content by Diversion Industries Inc. 
believed to be clean.


---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch


-- 
This message has been scanned for viruses and
dangerous content by Diversion Industries Inc. 
believed to be clean.


-- 
This message has been scanned for viruses and
dangerous content by Diversion Industries Inc. 
believed to be clean.