[ previous ] [ next ] [ threads ]
 
 From:  "Roland Giesler" <roland at thegreentree dot za dot net>
 To:  "Jewell, Michael" <mjewell at law dot umaryland dot edu>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Two m0n0walls that connect LAN via WAN?
 Date:  Fri, 9 Nov 2007 20:25:50 +0200
On 11/9/07, Jewell, Michael <mjewell at law dot umaryland dot edu> wrote:
> I'm thinking you need to add nat rules to allow one side to connect to the other.
If I need to add rules, then which rules?   Remember, all traffic
leaves a network via the default route.  The SP (at the hub) routes
traffic to LAN2 and the rest to the internet and vice-versa.  So even
if I add some kind of route, what do I put in the route?  There is
only one gateway and that is by default the route to use.

> Or you could set up a site-to-site vpn from 1 m0n0 to the other m0n0,  this would bridge the 2
networks so they could talk without the nat rules.

I have tried an IPSec tunnel, but the results are similar.

I have now done some more testing here is what has transpired:

1. Windows (!!! aaaarg!!!) does not do tracert the way FreeBSD (and
*nixes I would guess) does.  FreeBSD used UDP on some large port
number 334510 and increases this for each hob by one.  Windows on the
other hand uses UDP on port 137!  With FreeBSD I can tracert all the
machine on each side without a problem, without any other routers.

So I gave up on the tracert from windows (since it's pretty much a
waste of time, it appeared) and moved on to checking the logs for what
happens when I attempt to browse the one LAN from the other.
Here it gets really freaky:
Of course windows attempt to use netbios, so I disabled the filters I
have on the LAN port that block Netbios (as below)

TCP 	*  	*  	*  	135  	Block NetBIOS   	
TCP 	* 	* 	* 	137 - 139 	Block NetBIOS  	
TCP 	* 	* 	* 	445 	Block NetBIOS  	

But the logs keep showing that the traffic back from the server I'm
attempting to browse is being blocked:

19:58:57.774503  LAN  172.16.4.2, port 445  41.206.xxx.xxx, port 6256  TCP
19:58:57.774462  LAN  172.16.4.2, port 139  41.206.xxx.xxx, port 6257  TCP
19:58:54.812054  LAN  172.16.4.2, port 139  41.206.xxx.xxx, port 6257  TCP
19:58:54.809788  LAN  172.16.4.2, port 445  41.206.xxx.xxx, port 6256  TCP

So I added a specific rule on the LAN port to allow specifically
traffic to the address that the windows machine is attempting to reply
to (and is being blocked although I disabled the rules that block
netbios!)

*  LAN net  *  41.206.xxx.xxx  	 *  Allow all traffic to blah Router
*  LAN net  *  172.16.3.0/24         *  Allow all traffic to blah

It doesn't make one ounce of difference!  ??

Why?  I have disabled the automatic blocking of private IP ranges on
the WAN port, but that cannot be teh problem since the logs clearly
show that the LAN port is blocking NETBIOS port traffic from the LAN.

Is there something I'm missing somewhere?

Roland

>
> -Mike
>
>
> -----Original Message-----
> From: Roland Giesler [mailto:roland at thegreentree dot za dot net]
> Sent: Friday, November 09, 2007 10:18 AM
> To: m0n0wall at lists dot m0n0 dot ch
> Subject: [m0n0wall] Two m0n0walls that connect LAN via WAN?
>
> I have two LANs that must be connected to each other via a WAN link
> from/to each LAN. The link is provided by the same network provider on
> both ends.  So I have:
>
> LAN1 <--> m0n0 <--> WANRouter1 <-----> NetworkHUBofSP <----->
> WANRouter2 <--> m0n0 <--> LAN2
>
> LAN1 uses 172.16.3.0/24 and LAN2 uses 172.16.4.0/24 and the SP has
> added routes in the NetworkHUB that will route traffic between the two
> network.  This works and can be confirmed by being able to tracert and
> ping the remote site's hosts (various PC's) from the WANRouters on
> each end.
>
> I have a default route set on each router, back to the NetworkHUB
> (public IPs) and the infrastructure is provided by means of a VPN, so
> the traffic is encrypted.
>
> Just so I don't have a mistake in my setup I have created a rule at
> the top of my WAN rules list in each m0n0 that says to allow all
> traffic from all networks to all ports on all networks.  (Not a good
> permanent idea, but at least it rules out the possiblity of some
> obscure error in my setup I think)
>
> Now the problem:  I can ping/traceroute to the LAN port of both m0n0's
> from the other network, but I cannot do the same with the two windows
> domain controllers that are on this LAN's.   Is there some special
> requirement to get the windows server to respond to pings/traceroutes
> from the WAN?  Their default gateways are correct and they respond
> just fine to pings/traceroutes fromt the locally attached m0n0walls?
>
> Maybe I'm doing something else wrong here?  Something I'm not taking
> into consideration?
>
> thanks all
>
> --
> Roland Giesler
> Green Tree Systems cc, Stellenbosch, South Africa
> Mobile: 072-450-2817   http://www.thegreentree.za.net
>
> Shop online at http://www.digitalplanet.co.za/?AID=497
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>


-- 
Roland Giesler
Green Tree Systems cc, Stellenbosch, South Africa
Mobile: 072-450-2817   http://www.thegreentree.za.net

Shop online at http://www.digitalplanet.co.za/?AID=497