Using multiple Ip's on WAN port (Server NAT)

From:	"Roland Giesler" <roland at thegreentree dot za dot net>
To:	monowall <m0n0wall at lists dot m0n0 dot ch>
Subject:	Using multiple Ip's on WAN port (Server NAT)
Date:	Fri, 22 Feb 2008 18:44:52 +0200

Hi all,

I'm sure this was working before (on other client sites), but I cannot
get this going again.

All I want to do is add a subnet (/29) to the WAN port so I can use
all the addresses that my ISP gives me.

I have allowed ICMP traffic to all these addresses with a rule.

 ICMP * * x.x.193.200/29 *

And I have added a server NAT entry

External IP address Description

 x.x.193.203

In my fw log I see

OK   18:36:47.202983  	 WAN  	 88.198.39.133  	 x.x.193.203, type echo/0  	 ICMP

and it has a green arrow showing the traffic was allowed.

Yet the site I ping from says:

PING x.x.193.203 (41.206.193.203) 56(84) bytes of data.
From x.x.193.202: icmp_seq=3 Destination Host Unreachable
From x.x.193.202 icmp_seq=3 Destination Host Unreachable
From x.x.193.202 icmp_seq=4 Destination Host Unreachable

--- 41.206.193.203 ping statistics ---
4 packets transmitted, 0 received, +3 errors, 100% packet loss, time 2998ms

The address that replies with the "destination host Unreachable" is
the WAN port IP.

Why is this happening?  It worked perfectly before at other sites, but
I can't find the error here.

This should not be difficult, or should it?

regards

-- 
Roland Giesler
Green Tree Systems cc, Stellenbosch, South Africa
Mobile: 072-450-2817 http://www.thegreentree.za.net

Shop online at http://www.digitalplanet.co.za/?AID=497