a few m0n0wall 1.3b2 gotchas for users with routed public subnets

From:	"Kasper Pedersen" <m0n0list dash kkp2 at kasperkp dot dk>
To:	<m0n0wall at lists dot m0n0 dot ch>
Subject:	a few m0n0wall 1.3b2 gotchas for users with routed public subnets
Date:	Wed, 7 Feb 2007 19:53:53 +0100
If you're one of those with more than one ip address, or one of those having 
subnets routed to your monowall, this might be worth a look. If you only 
have one address, it likely has no effect on you:

---- PPTP and outbound NAT ----
In 1.3x the outbound autogenerated NAT rule does not include the PPTP range.
In 1.2x there was one, or it was broader.
This means that if you have a LAN of 192.168.0.0/24, and choose to place 
PPTP in 192.168.55.x, then there will be no outbound NAT rule for it.
In this case you have to use advanced outbound NAT.
That's okay, maybe there should be a note about it somewhere.

---- Routed subnet and inbound NAT ----
In 1.3x, the rdr generated when you add "inbound nat, wan, interface 
address, port 80, to webserver1" is actually a 0.0.0.0/0 rdr.
In my case I have an external address for the m0n0 router, and a small /29 
routed via this external address. The /29 is sitting on a physical 
interface, ie. machines attached to that have real, routable addresses. 
Since the /29 came 'later', the web/mail/etc. servers are NATed onto the 
external router address.
Now since the rdr is 0.0.0.0/0, it means that all tcp/80 traffic to the 
outside IP of the router, AND TO ALL OF THE HOSTS IN ALL SUBNETS BEHIND THE 
ROUTER, get directed to the webserver. In my case it means that I can hit 
the webserver on 8 ip addresses that aren't the "interface address". The 
text "interface address" really means "all traffic coming into this 
interface, wether or not it's to this interface address." If I place a 
webserver2 on the /29, it will never receive traffic from outside.

The solution is to add the external address to the Server NAT list (this 
either requires patching m0n0, or editing the config.xml and rebooting, 
since there's a check in the php?), and change all Inbound rules to use the 
alias for the external interface.

It's still good.

/Kasper Pedersen
---------------
my personal patch/tweak list:

In firewall_nat_server_edit.php (allow adding an alias for WAN):

- if ($_POST['ipaddr'] == $config['interfaces']['wan']['ipaddr'])
-  $input_errors[] = "The WAN IP address may not be used in a Server NAT 
entry.";


In firewall_nat.php (display LAN entries properly):
  <?php
     if (!$natent['interface'] || ($natent['interface'] == "wan"))
        echo "WAN";
     else
+    if ($natent['interface'] == "lan")
+       echo "LAN";
     else
        echo 
htmlspecialchars($config['interfaces'][$natent['interface']]['descr']);
  ?>

In firewall_nat_edit.php (allow LAN NAT entries):
  <select name="interface" class="formfld">
  <?php
    $interfaces = array('wan' => 'WAN');
+   $interfaces['lan']='LAN';
    for ($i = 1; isset($config['interfaces']['opt' . $i]); $i++) {


-  Hint: in most cases, you'll want to use WAN here.</span></td>
+  Hint: in most cases, you'll want to use WAN here.<br>
+  (Only use LAN if you understand what you are doing!)</span></td>