[ previous ] [ next ] [ threads ]
 
 From:  David HM Spector <spector at zeitgeist dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Packets being blocked on the LAN side...?
 Date:  Thu, 28 Sep 2006 01:14:43 -0400 
Until a couple of days ago I'd never seen this happen ... anyone have  
any clues?

the scenario:

	ISP--------M0n0wall--------[LAN with hosts]

The monowall is set up as follows:

Basics
	0) The LAN network is a routable Class C I own, but is not announced  
on the Internet (i.e., its not an RFC1918 type address)

	1) Anything on the LAN can to get to anything on the Internet (i.e.,  
the default LAN rule is in place)

	2) My ISP has given me 3 additional public IPs.  All 4 (the WAN, and  
the other 3) are all routed through the same gateway at the ISP,
	    and are announced to the outside directly in the case of the WAN  
address or via the server NAT and Proxy ARP.

	3) The main WAN interface NATs port 80 in to one of the interior  
machines for web service

	4) One of the name servers for my site is also behind the monowall  
and DNS is NATed in as well.

	5) Mail is also brought into the interior also using server/inbound  
NAT to yet another machine on the inside

	6 This monowall supports about 10+ IPSec VPN tunnels coming in from  
various places; all of them are on RFC1918 subnets all of which are  
up and running fine.


Here's were things go wonky.

	-   I tried to add another web server by using an inbound NAT rule  
using one of the ServerNATs as the outside address to a new host on  
the LAN

	Result:  Noting gets in.

	Odd side effect:  I see traffic trying to get OUT being blocked by  
the firewall on the LAN side, like this (IP addressed redacted):

	Sep 28 00:53:42 m0n0wall ipmon[83]: 00:53:41.989857 sis0 @0:21 b  
198.xx.yy.10,80 -> 72.30.98.22,48532 PR tcp len 20 40 -AR IN

Additionally I see packets being blocked on the LAN side that are  
coming from my mail server...

	Sep 28 00:34:15 m0n0wall ipmon[83]: 00:34:15.220925 sis0 @0:21 b  
198.xx.yy.2,25 -> 204.13.109.186,47609 PR tcp len 20 60 -AS IN


I must have dome something silly.. but for the life of me I can't see  
what it is...   any input/ideas would be appreciated.

regards,
   David
------------------------------------------------------------------------ 
-------------------
                                           David HM Spector
spector (at) zeitgeist.com                                       
http://www.zeitgeist.com/
voice: +1 631.261.5013                                          fax:  
+1 212.656.1443
                                                     ~ ~ ~
"New and stirring things are belittled because if they are not  
belittled, the
humiliating question arises, 'Why then are you not taking part in  
them?'"
                                                                         
                 --H. G. Wells