[ previous ] [ next ] [ threads ]
 
 From:  Scott Myers <scott at paperstreettech dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Creating Secondary Interface Firewall rules
 Date:  Mon, 23 Oct 2006 16:02:17 -0400
Hey guys, running out of time here... I think my last message didn't 
make it to the list. Anyone see why my OPT1 (WIFI) interface is getting 
traffic blocked at the firewall? (mostly return incoming traffic on high 
ports, which means the standard client --> server/ server --> client on 
web sites etc. is getting blocked.

What rule would tell the firewall to allow servers to send traffic back 
to the client in this case, and why doesn't the LAN interface need it by 
default?


Chris,

Thanks for taking the time to assist me with this small, probably pebkac
based error. Below is my config.xml. I have edited out any security risk
based fields, so as to make it "Google Friendly".

My overall goal is to have the WIFI interface be on a seperate subnet
with firewall rules blocking any interaction between it and the LAN
subnet, (along with some basic subnet masking to ensure a client doesn't
just try to change their IP address to the LAN subnet, 192.168.1.0.)

I basically copied the default LAN firewall rule to the WIFI rule list,
with the important areas (specifically where the interfaces are defined
in the rule) set to WIFI instead of LAN.  I suspect the incoming rule
needed to allow webservers,etc. to communicate back to the WIFI
interface is missing. (usually on the return web port, some random high
end port number). If so, does the m0n0wall just assume that LAN needs
this rule, but doesn't list it in the config? If this is the case, could
you give me a reasonable rule to allow the return packet data to cross
the firewall to the WIFI interface?


Thank you again,

Scott

<?xml version="1.0"?>
<m0n0wall>
	<version>1.6</version>
	<lastchange>1160601938</lastchange>
	<system>
		<hostname>firewall</hostname>
		<domain>firewall.lan</domain>
		<username>admin</username>
		<password>password</password>
		<timezone>Etc/UTC</timezone>
		<time-update-interval>300</time-update-interval>
		<timeservers>pool.ntp.org</timeservers>
		<webgui>
			<protocol>http</protocol>
			<port/>
		</webgui>
		<dnsserver>64.203.254.30</dnsserver>
		<dnsserver>64.203.254.31</dnsserver>
	</system>
	<interfaces>
		<lan>
			<if>sis0</if>
			<ipaddr>192.168.1.1</ipaddr>
			<subnet>24</subnet>
			<media/>
			<mediaopt/>
		</lan>
		<wan>
			<if>sis1</if>
			<mtu/>
			<media/>
			<mediaopt/>
			<spoofmac/>
			<ipaddr>pppoe</ipaddr>
		</wan>
		<opt1>
			<descr>WIFI</descr>
			<if>wi0</if>
			<wireless>
				<standard></standard>
				<mode>hostap</mode>
				<ssid>wifi</ssid>
				<stationname/>
				<channel>2</channel>
				<wep>
				</wep>
			</wireless>
			<ipaddr>192.168.2.1</ipaddr>
			<subnet>24</subnet>
			<bridge>lan</bridge>
		</opt1>
	</interfaces>
	<staticroutes/>
	<pppoe>
		<username>user</username>
		<password>password</password>
		<provider/>
		<timeout/>
	</pppoe>
	<pptp/>
	<bigpond/>
	<dyndns>
		<type>dyndns</type>
		<username/>
		<password/>
		<host/>
		<mx/>
		<server/>
		<port/>
	</dyndns>
	<dnsupdate/>
	<dhcpd>
		<lan>
			<enable/>
			<range>
				<from>192.168.1.100</from>
				<to>192.168.1.199</to>
			</range>
		</lan>
		<opt1>
			<range>
				<from>192.168.2.100</from>
				<to>192.168.2.250</to>
			</range>
			<defaultleasetime/>
			<maxleasetime/>
			<enable/>
		</opt1>
	</dhcpd>
	<pptpd>
		<mode/>
		<redir/>
		<localip/>
		<remoteip/>
	</pptpd>
	<dnsmasq/>
	<snmpd>
		<syslocation/>
		<syscontact/>
		<rocommunity>public</rocommunity>
	</snmpd>
	<diag>
		<ipv6nat>
			<ipaddr/>
		</ipv6nat>
	</diag>
	<bridge/>
	<syslog/>
	<nat/>
	<filter>
		<rule>
			<type>pass</type>
			<interface>opt1</interface>
			<source>
				<network>opt1</network>
			</source>
			<destination>
				<any/>
			</destination>
			<descr>Default Wifi --&gt; ANY</descr>
		</rule>
		<rule>
			<type>block</type>
			<interface>opt1</interface>
			<source>
				<network>opt1</network>
			</source>
			<destination>
				<network>lan</network>
			</destination>
			<disabled/>
			<descr>Block WIFI traffic from LAN Subnet</descr>
		</rule>
		<rule>
			<type>pass</type>
			<interface>lan</interface>
			<source>
				<network>lan</network>
			</source>
			<destination>
				<any/>
			</destination>
			<descr>Default LAN -&gt; any</descr>
		</rule>
	</filter>
	<shaper/>
	<ipsec/>
	<aliases/>
	<proxyarp/>
	<wol/>
</m0n0wall>



On 10/12/06, Scott Myers <scott at paperstreettech dot com> wrote:
> Sorry, I know this seems trivial but I have setup a  secondary interface
> on a m0n0wall box, and having little success in creating the proper
> firewall rules.
> I have duplicated (almost except the two fields where I switched LAN
> with OPT1) the default rule for the LAN interface, as well as tried to
> simply bridge the connections. No matter what I try, the OPT1 interface
> acts up, and the firewall log show numerous blocked packets, but only
> when using the OPT1 interface.
>
> What am I missing?
>

Sufficient detail to be able to tell you want the problem is.  ;)

Easiest thing would be to post the entire interfaces and rules parts
of your config.xml.  Or if you don't want them forever archived by
Google, you can email it to me offlist.

-Chris