David Burgess wrote:
> On 7/13/07, Jérémie Tarot <jeremie dot tarot at free dot fr> wrote:
>> Hi,
>>
>> First, forgive me for insisting (already posted on the forums,
>> http://forum.m0n0.ch/index.php/topic,758.0.html), but this tend to
>> become an emergency :/
>>
>> I'm trying to setup a new SDSL connection, bundled with xx.xx.28.96/29
>> public IP addresses, on my OPT4 interface. I already have an ADSL link
>> for users net access on WAN, and another SDSL on OPT1 for inter-site
>> traffic.
>>
>> So far:
>>     * I have given address xx.xx.28.98 to OPT4, the ISP's modem having
>> xx.xx.28.97 (can ping the router & the net from m0n0)
>>     * I have configured 2 1:1 NATs with automatic ProxyARP config (can
>> ping the router from the NATed servers):
>>        - OPT4  xx.xx.28.99/32   xx.xx.1.3/32  Public Server in DMZ
>> (behind OPT3)
>>        - OPT4  xx.xx.28.100/32  xx.xx.3.3/32  Asterisk Server in VOIP
>> (behind OPT2)
>>     * I have setup a static route to my VoIP gateway (working, can ping
>> the gateway through OPT4):
>>        - OPT4    xx.xx.78.35/32      xx.xx.28.97    Route to VoIP
>> Gateway at the ISP
>>     * As learned from reading the list archive (after posting on the
>> forums :P), configured a rule with logging to pass traffic from *:* to
>> servers _private_ IPs:
>>        *    *    *    xx.xx.3.3    *    DEBUG: Ping any to 1:1ed
>> Asterisk server
>>
>> Still no luck, logs keep on showing me blocked ICMP connections:
>>
>>        blocked    OPT4    xx.xx.xx.xx    xx.xx.3.3, type echo/0    ICMP
>
>
>
> Shouldn't your allow rule use the VOIP's public IP rather than its
> private IP as destination?
>
> db
No, it should use the private IP if it's 1:1 NAT.  I do have a question 
though.  Do you have rules in BOTH directions?  You only stated you have 
a rule coming into your network but showed us no rules going out.  OPT 
interfaces do not have default rules set up, so it would be helpful to 
see exactly what you have set up.

Chris