[ previous ] [ next ] [ threads ]
 
 From:  "David Burgess" <apt dot get at gmail dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] 1:1 (onetoone) NAT & filtering
 Date:  Fri, 13 Jul 2007 20:27:55 -0600
On 7/13/07, Jérémie Tarot <jeremie dot tarot at free dot fr> wrote:
> Hi,
>
> First, forgive me for insisting (already posted on the forums,
> http://forum.m0n0.ch/index.php/topic,758.0.html), but this tend to
> become an emergency :/
>
> I'm trying to setup a new SDSL connection, bundled with xx.xx.28.96/29
> public IP addresses, on my OPT4 interface. I already have an ADSL link
> for users net access on WAN, and another SDSL on OPT1 for inter-site
> traffic.
>
> So far:
>     * I have given address xx.xx.28.98 to OPT4, the ISP's modem having
> xx.xx.28.97 (can ping the router & the net from m0n0)
>     * I have configured 2 1:1 NATs with automatic ProxyARP config (can
> ping the router from the NATed servers):
>        - OPT4  xx.xx.28.99/32   xx.xx.1.3/32  Public Server in DMZ
> (behind OPT3)
>        - OPT4  xx.xx.28.100/32  xx.xx.3.3/32  Asterisk Server in VOIP
> (behind OPT2)
>     * I have setup a static route to my VoIP gateway (working, can ping
> the gateway through OPT4):
>        - OPT4    xx.xx.78.35/32      xx.xx.28.97    Route to VoIP
> Gateway at the ISP
>     * As learned from reading the list archive (after posting on the
> forums :P), configured a rule with logging to pass traffic from *:* to
> servers _private_ IPs:
>        *    *    *    xx.xx.3.3    *    DEBUG: Ping any to 1:1ed
> Asterisk server
>
> Still no luck, logs keep on showing me blocked ICMP connections:
>
>        blocked    OPT4    xx.xx.xx.xx    xx.xx.3.3, type echo/0    ICMP



Shouldn't your allow rule use the VOIP's public IP rather than its
private IP as destination?

db