[ previous ] [ next ] [ threads ]
 
 From:  "Marty Zigman" <marty dot zigman at prolecto dot com>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] Dropped Connection on Additional / Multiple WAN IP Addresses
 Date:  Mon, 8 Jan 2007 16:55:06 -0800
Lee,

Thank you. You opened my eyes to some networking concepts. While my ISP
has provided me a /28 address, only a subset of those are usable. Also,
I have another firewall consuming a few of the addresses allocated on
the /28 segment; notably the .165 address.   In another post on this
thread, I foumd the work around which appears to bind additional IP
addresses on NIC. This works well for me and is what I have been
accustomed to. Do you see merit in using the non bind / proxy arp
approach?


Marty Zigman
Prolecto Resources, Inc.
marty dot zigman at prolecto dot com
--------------------------
Please excuse "thumb typing" mistakes as this message was sent from my
wireless handheld.

-----Original Message-----
From: Lee Sharp <leesharp at hal dash pc dot org>
To: Marty Zigman; m0n0wall at lists dot m0n0 dot ch <m0n0wall at lists dot m0n0 dot ch>
Sent: Sun Jan 07 12:31:40 2007
Subject: Re: [m0n0wall] Dropped Connection on Additional / Multiple WAN
IP Addresses

Ah HA!  Took a while until I could look at it while awake, but I got it.
:-) 
You are trying to do server NAT to an IP address not on the m0n0wall.
The 
firewall is at 72.35.231.171 and you are server NATing to both
72.35.231.163 
and 72.35.231.171.  1to1 NAT is a standalone IP, but to use server NAT
you 
need to be on the firewall IP.  Using the above config, change the
firewall 
to 72.35.231.165, and proxy arp both .163 and .171, and make it 1to1
NAT, or 
put everything on the firewall IP and it should work as expected.
(Anybody 
else is welcome to salinity check me.  It is hard to read without TABs!
)  I 
have done this with several /29 subnets using the entire block of 6 
addresses.  This is a functioning example...

    <interfaces>
        <lan>
            <if>xl0</if>
            <ipaddr>192.168.38.1</ipaddr>
            <subnet>24</subnet>
            <media/>
            <mediaopt/>
        </lan>
        <wan>
            <if>rl0</if>
            <mtu/>
            <blockpriv/>
            <media/>
            <mediaopt/>
            <spoofmac/>
            <ipaddr>69.x.x.218</ipaddr>
            <subnet>29</subnet>
            <gateway>69.x.x.217</gateway>
        </wan>
    </interfaces>

[stuff removed that doesn't apply to this conversation]

    <nat>
        <onetoone>
            <external>69.53.58.222</external>
            <internal>192.168.38.90</internal>
            <subnet>32</subnet>
            <descr>fw-comfort-intercont</descr>
            <interface>wan</interface>
        </onetoone>
        <rule>
            <protocol>tcp</protocol>
            <external-port>10120</external-port>
            <target>192.168.38.20</target>
            <local-port>80</local-port>
            <interface>wan</interface>
            <descr>AP1</descr>
        </rule>
        <rule>
            <protocol>tcp</protocol>
            <external-port>10121</external-port>
            <target>192.168.38.21</target>
            <local-port>80</local-port>
            <interface>wan</interface>
            <descr>AP2</descr>
        </rule>
        <rule>
            <protocol>tcp</protocol>
            <external-port>10124</external-port>
            <target>192.168.38.31</target>
            <local-port>80</local-port>
            <interface>wan</interface>
            <descr>GW2</descr>
        </rule>
        <rule>
            <protocol>tcp</protocol>
            <external-port>10123</external-port>
            <target>192.168.38.30</target>
            <local-port>80</local-port>
            <interface>wan</interface>
            <descr>GW1</descr>
        </rule>
    </nat>
    <filter>
        <rule>
            <type>pass</type>
            <interface>wan</interface>
            <protocol>tcp</protocol>
            <source>
                <any/>
            </source>
            <destination>
                <any/>
                <port>443</port>
            </destination>
            <descr>Allow Remote Admin</descr>
        </rule>
        <rule>
            <type>pass</type>
            <interface>wan</interface>
            <source>
                <any/>
            </source>
            <destination>
                <address>192.168.38.90</address>
            </destination>
            <frags/>
            <descr>fw-comfort-intercont</descr>
        </rule>
        <rule>
            <interface>wan</interface>
            <protocol>tcp</protocol>
            <source>
                <any/>
            </source>
            <destination>
                <address>192.168.38.20</address>
                <port>80</port>
            </destination>
            <descr>NAT AP1</descr>
        </rule>
        <rule>
            <interface>wan</interface>
            <protocol>tcp</protocol>
            <source>
                <any/>
            </source>
            <destination>
                <address>192.168.38.21</address>
                <port>80</port>
            </destination>
            <descr>NAT AP2</descr>
        </rule>
        <rule>
            <type>pass</type>
            <interface>wan</interface>
            <protocol>tcp</protocol>
            <source>
                <any/>
            </source>
            <destination>
                <address>192.168.38.30</address>
                <port>80</port>
            </destination>
            <descr>NAT GW1</descr>
        </rule>
        <rule>
            <interface>wan</interface>
            <protocol>tcp</protocol>
            <source>
                <any/>
            </source>
            <destination>
                <address>192.168.38.31</address>
                <port>80</port>
            </destination>
            <descr>NAT GW2</descr>
        </rule>
        <rule>
            <type>pass</type>
            <interface>pptp</interface>
            <source>
                <any/>
            </source>
            <destination>
                <any/>
            </destination>
            <descr>Default PPtP -&gt; Any</descr>
        </rule>
        <rule>
            <type>pass</type>
            <descr>Default LAN -&gt; any</descr>
            <interface>lan</interface>
            <source>
                <network>lan</network>
            </source>
            <destination>
                <any/>
            </destination>
        </rule>
        <tcpidletimeout/>
    </filter>
    <proxyarp>
        <proxyarpnet>
            <interface>wan</interface>
            <network>69.x.x.222/32</network>
            <descr>NAT fw-comfort-intercont</descr>
        </proxyarpnet>
    </proxyarp>