[ previous ] [ next ] [ threads ]
 
 From:  "Tim Brewer" <T dot Brewer at beth dot school dot nz>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Weird ping reply through route
 Date:  Thu, 21 Jun 2007 09:56:23 +1200
Our setup is a Back-to-Back Perimeter network with 2 m0n0wall boxes. (M1
and M2)
Internet <- M1 -> DMZ Area <- M2 -> LAN
 
M1 WAN - Ext IP's
M1 LAN - 192.168.200.190
 
M2 WAN - 192.168.200.80
M2 LAN - 10.10.10.80
 
Gateway on DMZ servers to be M1 Lan IP
Gateway on LAN servers is M2 Lan IP
 
There is a static route setup on M1 for the 10. network, pointing to M2
Wan IP
 
DMZ and LAN servers are Windows 2000 or 2003.
From a DMZ server, we can ping all LAN pc's and the ping response comes
back with the appropriate 10. IP address, except one.
This servers ping respones comes back with M2's WAN IP, not its 10. IP.
 
I have set allow all rules for testing on both the LAN and WAN
interfaces of M2, and enabled logging for these.
When pinging a 'working' address, a ping show up in the log from the DMZ
server IP (192.168.200.14) to the appropriate LAN IP (10.0.0.x),
HOWEVER, when pinging this one particular server, there is no log entry.
 
It is as though M2 is responding on behalf of the server, not passing
the request through. There is only one NAT for this IP (10.0.0.37) and
that is for Port 389 (LDAP). I have even changed this to another IP to
test, with no change. I have also rebooted M2 and the 10.0.0.37 server
in question, checked any NAT's, rules and otherwise on the m0n0's that
may be causing this, have cleared caches all with the same result.
 
I have searched the list for route and ping problems, to no avail. Does
anyone have any suggestions for me to try as I am at wits end!
 
As a side note, our ultimate goal with this is to make a one way trust
from our DMZ AD domain to our LAN AD domain for authentication purposes,
so if there is a better way to do this I'll be more than happy to try it
out.
 
Thanks
Tim