[ previous ] [ next ] [ threads ]
 
 From:  Arunas Vaitekunas <aras at fan dot lt>
 To:  'Monowall Support List' <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Firewall bug? or misconfiguration
 Date:  Wed, 17 Jan 2007 16:19:08 +0200
Hi,

    I'm using m0n0 v1.22. Let me explain my setup.

[ Office1  192.168.100.0/24 ]
      |
   (Cisco1)------------Ipsec VPN-----------------
                                                               |         
           Public Server1
                                                               
|                               |
[Office1 192.168.101.0/24]                        |                     
   <Vlan1>
     |                                                         
|                               |         |--<vlan1>--|
   (Cisco2)-------------Ipsec VPN-----------(Cisco 
HQ)-<vlan1,2>--[SWITCH]                [m0n0wall]----[HQ office LAN]
                                                                |        
                      |         |--<vlan2>--|
                                                                         
                      |
                                                                
|                         <vlan1>
[OfficeX...  192.168.0.0/16 ]                       |                   
            |
      |                                                         |        
                 Public Server2
    (Cisco3)------------Ipsec VPN-----------------


OfficeX: 192.168.100.x-192.168.140.x (subnet mask /24)
    All ofices conected throught DSL 512kbps
VLAN2: has 6 public IPs
VLAN1: 172.16.0.1 (cisco if), 172.16.0.2(m0n0 if)
HQ Office: 192.168.42.0/24
    HQ Office connected through leased line 1024kbps

(Cisco1,Cisco2,CiscoX) MTU: 1430, there is no posibility to make biger 
MTU of a VPN tunnel

m0n0wall has 3 interfaces:
    WAN: 213.x.x.x/29 <vlan1>
    LAN: 192.168.42.0/24
    Cisco1721: 172.16.0.0/30 <vlan2>

Rules:
    IF: LAN - SRC:192.168.0.0/16 permit all in/out
    IF: Cisco1721 - SRC: src:* dest:* port:* allow

Resume: all trafic on LAN and Cisco1721 interfaces are allowed.

Let me explain my problem.
    When I for egz. on one of OfficeX computer trying to refresh Group 
policy (command: gpupdate /force)
    On m0n0wall I see errors:

    1. DROP 13:00:18.679267 cisco1721 192.168.135.11 192.168.42.248, 
type 11866:576@1480) ICMP

    after some time (5-15 sec.)
    DROP - 13:02:30.458596 LAN 192.168.42.248 192.168.135.11, type 
timxceed/reassem ICMP
    DROP - 13:02:24.458692 LAN 192.168.42.248 192.168.135.11, type 
timxceed/reassem ICMP

    So in event I see that group policy cannot be refreshed becaus 
domain controller not found on OfficeX network.

    Q:    Why m0n0 drops pakets if rules are permit all to from * to *

Lot of thanks for your help.