[ previous ] [ next ] [ threads ]
 
 From:  "Neil Schneider" <telecomneil at gmail dot com>
 To:  "M0n0wall List" <m0n0wall at lists dot m0n0 dot ch>
 Subject:  1:1 or Server Nat
 Date:  Mon, 25 Sep 2006 17:01:36 -0700 
I'm configuring a multi-homed M0n0wall and I've gotten myself confused
about which NAT to use. Here's an excerpt from config.xml that might
help.

 <servernat>
                        <ipaddr>3.2.1..27</ipaddr>
                        <descr>mumble</descr>
 </servernat>

 <rule>
                        <external-address>3.2.1.27</external-address>
                        <protocol>tcp</protocol>
                        <external-port>22</external-port>
                        <target>1.2.3..102</target>
                        <local-port>22</local-port>
                        <interface>wan</interface>
                        <descr>SSH to Debian</descr>
                </rule>
                <rule>
                        <external-address>3.2.1..27</external-address>
                        <protocol>tcp</protocol>
                        <external-port>2004</external-port>
                        <target>1.2.3..223</target>
                        <local-port>2004</local-port>
                        <interface>wan</interface>
                        <descr/>
                </rule>
                <rule>
                        <external-address>3.2.1..27</external-address>
                        <protocol>tcp</protocol>
                        <external-port>7650</external-port>
                        <target>1.2.3.223</target>
                        <local-port>7650</local-port>
                        <descr/>
                </rule>

To summarize I have one IP address set to SERVERNAT and different
ports forwarded to different machines.

I also have another IP address 1:1 NAT to a machine in the DMZ   The
xml configuration for ports doesn't ask for or include external IP
addresses. So  a rule looks like this.

<rule>
                        <protocol>tcp</protocol>
                        <external-port>20</external-port>
                        <target>172.16.0.10</target>
                        <local-port>20</local-port>
                        <interface>wan</interface>
                        <descr>FTP data</descr>
</rule>

I understand, obviously incorrectly that 1:1 nat is for cases where
every connection will go to a single host internally and ServerNAT
will establish a single IP on the external interface, that can be
connected to different internal IP according to ports assigned in
rules.

I have proxy-arp turned on for the ServerNAT addresses, but not the
1:1 NAT addresses.

Things don't work as I expect, including the inability to access the
machine above at 3.2.1.27 or private IP 1.2.3.102 through SSH.

Thanks in advance for any insights or corrections.
-- 

Neil Schneider                                           telecomneil
at gmail dot com

I don't use this account for personal email, I don't check it as
often. If you want to contact me directly use pacneil at linux geek
dot net instead.