[ previous ] [ next ] [ threads ]
 
 From:  "Lee Sharp" <leesharp at hal dash pc dot org>
 To:  "Marty Zigman" <marty dot zigman at prolecto dot com>, <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] Dropped Connection on Additional / Multiple WAN IP Addresses
 Date:  Sun, 7 Jan 2007 14:31:40 -0600
Ah HA!  Took a while until I could look at it while awake, but I got it. :-) 
You are trying to do server NAT to an IP address not on the m0n0wall.  The 
firewall is at 72.35.231.171 and you are server NATing to both 72.35.231.163 
and 72.35.231.171.  1to1 NAT is a standalone IP, but to use server NAT you 
need to be on the firewall IP.  Using the above config, change the firewall 
to 72.35.231.165, and proxy arp both .163 and .171, and make it 1to1 NAT, or 
put everything on the firewall IP and it should work as expected.  (Anybody 
else is welcome to salinity check me.  It is hard to read without TABs! )  I 
have done this with several /29 subnets using the entire block of 6 
addresses.  This is a functioning example...

    <interfaces>
        <lan>
            <if>xl0</if>
            <ipaddr>192.168.38.1</ipaddr>
            <subnet>24</subnet>
            <media/>
            <mediaopt/>
        </lan>
        <wan>
            <if>rl0</if>
            <mtu/>
            <blockpriv/>
            <media/>
            <mediaopt/>
            <spoofmac/>
            <ipaddr>69.x.x.218</ipaddr>
            <subnet>29</subnet>
            <gateway>69.x.x.217</gateway>
        </wan>
    </interfaces>

[stuff removed that doesn't apply to this conversation]

    <nat>
        <onetoone>
            <external>69.53.58.222</external>
            <internal>192.168.38.90</internal>
            <subnet>32</subnet>
            <descr>fw-comfort-intercont</descr>
            <interface>wan</interface>
        </onetoone>
        <rule>
            <protocol>tcp</protocol>
            <external-port>10120</external-port>
            <target>192.168.38.20</target>
            <local-port>80</local-port>
            <interface>wan</interface>
            <descr>AP1</descr>
        </rule>
        <rule>
            <protocol>tcp</protocol>
            <external-port>10121</external-port>
            <target>192.168.38.21</target>
            <local-port>80</local-port>
            <interface>wan</interface>
            <descr>AP2</descr>
        </rule>
        <rule>
            <protocol>tcp</protocol>
            <external-port>10124</external-port>
            <target>192.168.38.31</target>
            <local-port>80</local-port>
            <interface>wan</interface>
            <descr>GW2</descr>
        </rule>
        <rule>
            <protocol>tcp</protocol>
            <external-port>10123</external-port>
            <target>192.168.38.30</target>
            <local-port>80</local-port>
            <interface>wan</interface>
            <descr>GW1</descr>
        </rule>
    </nat>
    <filter>
        <rule>
            <type>pass</type>
            <interface>wan</interface>
            <protocol>tcp</protocol>
            <source>
                <any/>
            </source>
            <destination>
                <any/>
                <port>443</port>
            </destination>
            <descr>Allow Remote Admin</descr>
        </rule>
        <rule>
            <type>pass</type>
            <interface>wan</interface>
            <source>
                <any/>
            </source>
            <destination>
                <address>192.168.38.90</address>
            </destination>
            <frags/>
            <descr>fw-comfort-intercont</descr>
        </rule>
        <rule>
            <interface>wan</interface>
            <protocol>tcp</protocol>
            <source>
                <any/>
            </source>
            <destination>
                <address>192.168.38.20</address>
                <port>80</port>
            </destination>
            <descr>NAT AP1</descr>
        </rule>
        <rule>
            <interface>wan</interface>
            <protocol>tcp</protocol>
            <source>
                <any/>
            </source>
            <destination>
                <address>192.168.38.21</address>
                <port>80</port>
            </destination>
            <descr>NAT AP2</descr>
        </rule>
        <rule>
            <type>pass</type>
            <interface>wan</interface>
            <protocol>tcp</protocol>
            <source>
                <any/>
            </source>
            <destination>
                <address>192.168.38.30</address>
                <port>80</port>
            </destination>
            <descr>NAT GW1</descr>
        </rule>
        <rule>
            <interface>wan</interface>
            <protocol>tcp</protocol>
            <source>
                <any/>
            </source>
            <destination>
                <address>192.168.38.31</address>
                <port>80</port>
            </destination>
            <descr>NAT GW2</descr>
        </rule>
        <rule>
            <type>pass</type>
            <interface>pptp</interface>
            <source>
                <any/>
            </source>
            <destination>
                <any/>
            </destination>
            <descr>Default PPtP -&gt; Any</descr>
        </rule>
        <rule>
            <type>pass</type>
            <descr>Default LAN -&gt; any</descr>
            <interface>lan</interface>
            <source>
                <network>lan</network>
            </source>
            <destination>
                <any/>
            </destination>
        </rule>
        <tcpidletimeout/>
    </filter>
    <proxyarp>
        <proxyarpnet>
            <interface>wan</interface>
            <network>69.x.x.222/32</network>
            <descr>NAT fw-comfort-intercont</descr>
        </proxyarpnet>
    </proxyarp>



----- Original Message ----- 
From: "Marty Zigman" <marty dot zigman at prolecto dot com>
To: "Lee Sharp" <leesharp at hal dash pc dot org>; <m0n0wall at lists dot m0n0 dot ch>
Sent: Saturday, January 06, 2007 1:12 AM
Subject: RE: [m0n0wall] Dropped Connection on Additional / Multiple WAN IP 
Addresses


Hi Lee,

Thank you for your review.  Below is our config file with sensitive 
information removed.  I noticed that there are some minor NAT rules in our 
config that remain when I was testing this on firewall on another network. 
I do not believe these entries would have any impact on my situation.

Related to my problem, many times I can not connect to the service.  Today 
for example, I am not able to connect through Terminal Services on .163.  I 
can connect on the .171 IP however.  The definitions are the same to me.  So 
sometimes it lets me through, for about 30 seconds, and sometimes not at 
all...  Could there be something going on with the switch?  Or the router?

<?xml version="1.0"?>
<m0n0wall>
 <version>1.6</version>
 <lastchange>1167936654</lastchange>
 <system>
  <hostname></hostname>
  <domain></domain>
  <dnsallowoverride/>
  <username></username>
  <password</password>
  <timezone>America/Los_Angeles</timezone>
  <time-update-interval>300</time-update-interval>
  <timeservers>pool.ntp.org</timeservers>
  <webgui>
   <protocol>http</protocol>
   <port/>
  </webgui>
  <dnsserver>64.81.45.2</dnsserver>
  <dnsserver>216.86.207.3</dnsserver>
 </system>
 <interfaces>
  <lan>
   <if>vr0</if>
   <ipaddr>192.168.168.1</ipaddr>
   <subnet>24</subnet>
   <media/>
   <mediaopt/>
  </lan>
  <wan>
   <if>rl0</if>
   <mtu/>
   <media/>
   <mediaopt/>
   <spoofmac/>
   <blockpriv/>
   <ipaddr>72.35.231.171</ipaddr>
   <subnet>28</subnet>
   <gateway>72.35.231.161</gateway>
  </wan>
  <opt1>
   <if>rl1</if>
   <descr>OPT1</descr>
  </opt1>
  <opt2>
   <if>rl2</if>
   <descr>OPT2</descr>
  </opt2>
 </interfaces>
 <staticroutes/>
 <pppoe/>
 <pptp/>
 <bigpond/>
 <dyndns>
  <type>dyndns</type>
  <username/>
  <password/>
  <host/>
  <mx/>
  <server/>
  <port/>
 </dyndns>
 <dnsupdate/>
 <dhcpd>
  <lan>
   <range>
    <from>192.168.200.100</from>
    <to>192.168.200.120</to>
   </range>
   <defaultleasetime/>
   <maxleasetime/>
  </lan>
 </dhcpd>
 <pptpd>
  <mode>server</mode>
  <redir/>
  <localip>192.168.168.191</localip>
  <remoteip>192.168.168.192</remoteip>
  <radius>
   <server/>
   <secret/>
  </radius>
  <user>
   <name></name>
   <ip/>
   <password></password>
  </user>
 </pptpd>
 <dnsmasq>
  <enable/>
  <regdhcp/>
 </dnsmasq>
 <snmpd>
  <syslocation/>
  <syscontact/>
  <rocommunity>public</rocommunity>
  <enable/>
 </snmpd>
 <diag>
  <ipv6nat>
   <ipaddr/>
  </ipv6nat>
 </diag>
 <bridge/>
 <syslog>
  <reverse/>
  <nentries>50</nentries>
  <remoteserver/>
  <rawfilter/>
 </syslog>
 <nat>
  <rule>
   <external-address>72.35.231.163</external-address>
   <protocol>tcp</protocol>
   <external-port>3389</external-port>
   <target>192.168.168.122</target>
   <local-port>3389</local-port>
   <interface>wan</interface>
   <descr>TS_LLNX_MSCRM01</descr>
  </rule>
  <rule>
   <external-address>72.35.231.171</external-address>
   <protocol>tcp</protocol>
   <external-port>443</external-port>
   <target>192.168.168.50</target>
   <local-port>443</local-port>
   <interface>wan</interface>
   <descr>HTTPS_Exchange01</descr>
  </rule>
  <rule>
   <external-address>72.35.231.171</external-address>
   <protocol>tcp</protocol>
   <external-port>3389</external-port>
   <target>192.168.168.26</target>
   <local-port>3389</local-port>
   <interface>wan</interface>
   <descr>TS_Staging01_171_2</descr>
  </rule>
  <servernat>
   <ipaddr>72.35.231.163</ipaddr>
   <descr>EXT_163</descr>
  </servernat>
  <servernat>
   <ipaddr>72.35.231.171</ipaddr>
   <descr>EXT_171</descr>
  </servernat>
 </nat>
 <filter>
  <rule>
   <type>pass</type>
   <interface>wan</interface>
   <protocol>icmp</protocol>
   <source>
    <any/>
   </source>
   <destination>
    <any/>
   </destination>
   <descr>WAN_ICMP_Echo</descr>
  </rule>
  <rule>
   <type>pass</type>
   <interface>wan</interface>
   <protocol>tcp</protocol>
   <source>
    <any/>
   </source>
   <destination>
    <any/>
    <port>3389</port>
   </destination>
   <descr>TS_Pass</descr>
  </rule>
  <rule>
   <interface>wan</interface>
   <protocol>tcp</protocol>
   <source>
    <any/>
   </source>
   <destination>
    <address>192.168.200.3</address>
    <port>80</port>
   </destination>
   <descr>NAT Zigman01 HTTP</descr>
   <disabled/>
  </rule>
  <rule>
   <interface>wan</interface>
   <protocol>tcp</protocol>
   <source>
    <any/>
   </source>
   <destination>
    <address>192.168.168.50</address>
    <port>443</port>
   </destination>
   <descr>NAT HTTPS_Exchange01</descr>
  </rule>
  <rule>
   <type>pass</type>
   <interface>pptp</interface>
   <protocol>tcp</protocol>
   <source>
    <any/>
   </source>
   <destination>
    <any/>
   </destination>
   <descr>PPTP_Passthru</descr>
  </rule>
  <rule>
   <type>pass</type>
   <descr>Default LAN -&gt; any</descr>
   <interface>lan</interface>
   <source>
    <network>lan</network>
   </source>
   <destination>
    <any/>
   </destination>
  </rule>
 </filter>
 <shaper/>
 <ipsec/>
 <aliases>
  <alias>
   <name>zigman01</name>
   <address>192.168.200.1</address>
   <descr>Zigman01</descr>
  </alias>
 </aliases>
 <proxyarp>
  <proxyarpnet>
   <interface>wan</interface>
   <network>72.35.231.163/32</network>
   <descr>EXT_163</descr>
  </proxyarpnet>
 </proxyarp>
 <wol/>
</m0n0wall>

Marty


________________________________

From: Lee Sharp [mailto:leesharp at hal dash pc dot org]
Sent: Thu 1/4/2007 9:19 PM
To: m0n0wall at lists dot m0n0 dot ch
Subject: Re: [m0n0wall] Dropped Connection on Additional / Multiple WAN IP 
Addresses



This should work as you describe, but your description of both server NAT
and a NAT rule have me confused.  Post your config.xml (with private stuff
removed) to be sure.