Lee,
Thank you. You opened my eyes to some networking concepts. While my ISP
has provided me a /28 address, only a subset of those are usable. Also,
I have another firewall consuming a few of the addresses allocated on
the /28 segment; notably the .165 address. In another post on this
thread, I foumd the work around which appears to bind additional IP
addresses on NIC. This works well for me and is what I have been
accustomed to. Do you see merit in using the non bind / proxy arp
approach?
Marty Zigman
Prolecto Resources, Inc.
marty dot zigman at prolecto dot com
--------------------------
Please excuse "thumb typing" mistakes as this message was sent from my
wireless handheld.
-----Original Message-----
From: Lee Sharp <leesharp at hal dash pc dot org>
To: Marty Zigman; m0n0wall at lists dot m0n0 dot ch <m0n0wall at lists dot m0n0 dot ch>
Sent: Sun Jan 07 12:31:40 2007
Subject: Re: [m0n0wall] Dropped Connection on Additional / Multiple WAN
IP Addresses
Ah HA! Took a while until I could look at it while awake, but I got it.
:-)
You are trying to do server NAT to an IP address not on the m0n0wall.
The
firewall is at 72.35.231.171 and you are server NATing to both
72.35.231.163
and 72.35.231.171. 1to1 NAT is a standalone IP, but to use server NAT
you
need to be on the firewall IP. Using the above config, change the
firewall
to 72.35.231.165, and proxy arp both .163 and .171, and make it 1to1
NAT, or
put everything on the firewall IP and it should work as expected.
(Anybody
else is welcome to salinity check me. It is hard to read without TABs!
) I
have done this with several /29 subnets using the entire block of 6
addresses. This is a functioning example...
<interfaces>
<lan>
<if>xl0</if>
<ipaddr>192.168.38.1</ipaddr>
<subnet>24</subnet>
<media/>
<mediaopt/>
</lan>
<wan>
<if>rl0</if>
<mtu/>
<blockpriv/>
<media/>
<mediaopt/>
<spoofmac/>
<ipaddr>69.x.x.218</ipaddr>
<subnet>29</subnet>
<gateway>69.x.x.217</gateway>
</wan>
</interfaces>
[stuff removed that doesn't apply to this conversation]
<nat>
<onetoone>
<external>69.53.58.222</external>
<internal>192.168.38.90</internal>
<subnet>32</subnet>
<descr>fw-comfort-intercont</descr>
<interface>wan</interface>
</onetoone>
<rule>
<protocol>tcp</protocol>
<external-port>10120</external-port>
<target>192.168.38.20</target>
<local-port>80</local-port>
<interface>wan</interface>
<descr>AP1</descr>
</rule>
<rule>
<protocol>tcp</protocol>
<external-port>10121</external-port>
<target>192.168.38.21</target>
<local-port>80</local-port>
<interface>wan</interface>
<descr>AP2</descr>
</rule>
<rule>
<protocol>tcp</protocol>
<external-port>10124</external-port>
<target>192.168.38.31</target>
<local-port>80</local-port>
<interface>wan</interface>
<descr>GW2</descr>
</rule>
<rule>
<protocol>tcp</protocol>
<external-port>10123</external-port>
<target>192.168.38.30</target>
<local-port>80</local-port>
<interface>wan</interface>
<descr>GW1</descr>
</rule>
</nat>
<filter>
<rule>
<type>pass</type>
<interface>wan</interface>
<protocol>tcp</protocol>
<source>
<any/>
</source>
<destination>
<any/>
<port>443</port>
</destination>
<descr>Allow Remote Admin</descr>
</rule>
<rule>
<type>pass</type>
<interface>wan</interface>
<source>
<any/>
</source>
<destination>
<address>192.168.38.90</address>
</destination>
<frags/>
<descr>fw-comfort-intercont</descr>
</rule>
<rule>
<interface>wan</interface>
<protocol>tcp</protocol>
<source>
<any/>
</source>
<destination>
<address>192.168.38.20</address>
<port>80</port>
</destination>
<descr>NAT AP1</descr>
</rule>
<rule>
<interface>wan</interface>
<protocol>tcp</protocol>
<source>
<any/>
</source>
<destination>
<address>192.168.38.21</address>
<port>80</port>
</destination>
<descr>NAT AP2</descr>
</rule>
<rule>
<type>pass</type>
<interface>wan</interface>
<protocol>tcp</protocol>
<source>
<any/>
</source>
<destination>
<address>192.168.38.30</address>
<port>80</port>
</destination>
<descr>NAT GW1</descr>
</rule>
<rule>
<interface>wan</interface>
<protocol>tcp</protocol>
<source>
<any/>
</source>
<destination>
<address>192.168.38.31</address>
<port>80</port>
</destination>
<descr>NAT GW2</descr>
</rule>
<rule>
<type>pass</type>
<interface>pptp</interface>
<source>
<any/>
</source>
<destination>
<any/>
</destination>
<descr>Default PPtP -> Any</descr>
</rule>
<rule>
<type>pass</type>
<descr>Default LAN -> any</descr>
<interface>lan</interface>
<source>
<network>lan</network>
</source>
<destination>
<any/>
</destination>
</rule>
<tcpidletimeout/>
</filter>
<proxyarp>
<proxyarpnet>
<interface>wan</interface>
<network>69.x.x.222/32</network>
<descr>NAT fw-comfort-intercont</descr>
</proxyarpnet>
</proxyarp> | 