Re: [m0n0wall] Using multiple Ip's on WAN port (Server NAT)

From:	"Roland Giesler" <roland at thegreentree dot za dot net>
To:	"Kristian Shaw" <monowall at wealdclose dot co dot uk>, monowall <m0n0wall at lists dot m0n0 dot ch>
Subject:	Re: [m0n0wall] Using multiple Ip's on WAN port (Server NAT)
Date:	Wed, 27 Feb 2008 09:59:09 +0200
The picture is becoming clearer.  Thanks for your comments and advice.
 I'll play with 1:1 NAt on a test machine too see how it works before
going live on it.

regards

On Tue, Feb 26, 2008 at 7:22 PM, Kristian Shaw
<monowall at wealdclose dot co dot uk> wrote:
> Hello,
>
>  If you would like ICMP responses, you will need to do use 1:1 NAT for the
>  servers that are externally available, and then configure a rule in the
>  advanced outbound NAT for the rest of the machines.
>
>  I don't know if there is a specific reason for there being no option for
>  ICMP NAT in server NAT, that would be something to ask the m0n0wall
>  developers.
>
>  Regards,
>
>  Kris.
>
>  ----- Original Message -----
>  From: "Roland Giesler" <roland at thegreentree dot za dot net>
>  To: "monowall" <m0n0wall at lists dot m0n0 dot ch>
>  Cc: "Kristian Shaw" <monowall at wealdclose dot co dot uk>
>  Sent: Tuesday, February 26, 2008 11:04 AM
>  Subject: {Spam?} Re: [m0n0wall] Using multiple Ip's on WAN port (Server NAT)
>
>
>  > On Mon, Feb 25, 2008 at 11:00 PM, Kristian Shaw
>  > <monowall at wealdclose dot co dot uk> wrote:
>  >>  In you want to use server NAT, ping won't work as there is no NAT
>  >>  destination for ICMP traffic. However, TCP/UDP NAT'd connections should
>  >>  still work OK.
>  > Help me if I understand this wrongly please:  If I have added a Server
>  > NAT address x.x.193.203 and I set up an inbound NAT rule that forwards
>  > traffic for port 443 to a webserver (for example), and I have a rule
>  > on by WAN port that allows traffic on port 443 destined to the machine
>  > I'm forwarding the traffic to, then I should be able to reach that
>  > machine for the internet, not so?
>  >
>  > I just went and tested it again, and guess what?  https://x.x.193.203
>  > to the test site works fine.  However, pinging the site does not,
>  > although I have a rule that allows pings and a NAT that forwards pings
>  > to the same server.
>  >
>  > Now I went and checked to see if I have a rule that forwards ICMP
>  > packets to the host I want to respond when I ping the Server NAT
>  > address: x.x.193.203, but it seems one cannot add a rule that NAT's
>  > pings?  Is that by ICMP design, undesirable or why can this not be
>  > done?
>  >
>  > How would I be able to set up Server NAT address so they can be pinged
>  > for the internet, and have various services running on ports that I
>  > forward to?  (As in my example I want a secure website that I can ping
>  > via M0n0wall.  Or an SSH host that I can ping and SSH into via
>  > M0n0wall.)
>  >
>  > thanks again
>  >
>  > Roland
>  >
>  >>
>  >>  Remember you can use 1:1 NAT for individual machines if you have enough
>  >>  public addresses, and then just NAT all the other machines in your
>  >> network
>  >>  using the "advanced outbound NAT" rules.
>  >>
>  >>  Kris.
>  >>
>  >>  ----- Original Message -----
>  >>  From: "Roland Giesler" <roland at thegreentree dot za dot net>
>  >>  To: "Kristian Shaw" <monowall at wealdclose dot co dot uk>
>  >>  Sent: Monday, February 25, 2008 10:05 AM
>  >>  Subject: {Spam?} Re: [m0n0wall] Re: {Spam?} [m0n0wall] Using multiple
>  >> Ip's
>  >>  on WAN port (Server NAT)
>  >>
>  >>
>  >>  > On Fri, Feb 22, 2008 at 9:22 PM, Kristian Shaw
>  >>  > <monowall at wealdclose dot co dot uk> wrote:
>  >>  >> Hello,
>  >>  >>
>  >>  >>  It looks like you should be using 1:1 NAT, if you would like assign
>  >>  >> public
>  >>  >>  addresses to machines behind the firewall with private addresses.
>  >>  > But I don't want to do that.  I just want multiple IP addresses on the
>  >>  > WAN card to respond to various types of traffic.  And one may be
>  >>  > NAT'ed to some other machine (a web server for example) while another
>  >>  > maybe forwarding port 3389 to my desktop machines RDP port.  1:1 NAT
>  >>  > means I have to set up each NAT config for each machine, not so?, in
>  >>  > other word no automatic NATting for all the client on the network.
>  >>  >
>  >>  > Or am I missing something here?
>  >>  >
>  >>  > regards
>  >>  >
>  >>  > Roland
>  >>  >
>  >>  >>
>  >>  >>  Kris.
>  >>  >>
>  >>  >>  ----- Original Message -----
>  >>  >>  From: "Roland Giesler" <roland at thegreentree dot za dot net>
>  >>  >>  To: "monowall" <m0n0wall at lists dot m0n0 dot ch>
>  >>  >>  Sent: Friday, February 22, 2008 4:44 PM
>  >>  >>  Subject: {Spam?} [m0n0wall] Using multiple Ip's on WAN port (Server
>  >> NAT)
>  >>  >>
>  >>  >>
>  >>  >>  > Hi all,
>  >>  >>  >
>  >>  >>  > I'm sure this was working before (on other client sites), but I
>  >> cannot
>  >>  >>  > get this going again.
>  >>  >>  >
>  >>  >>  > All I want to do is add a subnet (/29) to the WAN port so I can
>  >> use
>  >>  >>  > all the addresses that my ISP gives me.
>  >>  >>  >
>  >>  >>  > I have allowed ICMP traffic to all these addresses with a rule.
>  >>  >>  >
>  >>  >>  > ICMP * * x.x.193.200/29 *
>  >>  >>  >
>  >>  >>  > And I have added a server NAT entry
>  >>  >>  >
>  >>  >>  > External IP address Description
>  >>  >>  >
>  >>  >>  > x.x.193.203
>  >>  >>  >
>  >>  >>  > In my fw log I see
>  >>  >>  >
>  >>  >>  > OK   18:36:47.202983  WAN  88.198.39.133  x.x.193.203, type echo/0
>  >>  >> ICMP
>  >>  >>  >
>  >>  >>  > and it has a green arrow showing the traffic was allowed.
>  >>  >>  >
>  >>  >>  > Yet the site I ping from says:
>  >>  >>  >
>  >>  >>  > PING x.x.193.203 (41.206.193.203) 56(84) bytes of data.
>  >>  >>  > From x.x.193.202: icmp_seq=3 Destination Host Unreachable
>  >>  >>  > From x.x.193.202 icmp_seq=3 Destination Host Unreachable
>  >>  >>  > From x.x.193.202 icmp_seq=4 Destination Host Unreachable
>  >>  >>  >
>  >>  >>  > --- 41.206.193.203 ping statistics ---
>  >>  >>  > 4 packets transmitted, 0 received, +3 errors, 100% packet loss,
>  >> time
>  >>  >>  > 2998ms
>  >>  >>  >
>  >>  >>  > The address that replies with the "destination host Unreachable"
>  >> is
>  >>  >>  > the WAN port IP.
>  >>  >>  >
>  >>  >>  > Why is this happening?  It worked perfectly before at other sites,
>  >> but
>  >>  >>  > I can't find the error here.
>  >>  >>  >
>  >>  >>  > This should not be difficult, or should it?
>  >>  >>  >
>  >>  >>  > regards
>  >>  >>  >
>  >>  >>  > --
>  >>  >>  > Roland Giesler
>  >>  >>  > Green Tree Systems cc, Stellenbosch, South Africa
>  >>  >>  > Mobile: 072-450-2817 http://www.thegreentree.za.net
>  >>  >>  >
>  >>  >>  > Shop online at http://www.digitalplanet.co.za/?AID=497
>  >>  >>  >
>  >>  >>
>  >>  > ---------------------------------------------------------------------
>  >>  >>  > To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>  >>  >>  > For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>  >>  >>  >
>  >>  >>  >
>  >>  >>
>  >>  >>
>  >>
>  >>  >>  ---------------------------------------------------------------------
>  >>  >>  To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>  >>  >>  For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>  >>  >>
>  >>  >>
>  >>  >
>  >>  >
>  >>  >
>  >>  > --
>  >>  > Roland Giesler
>  >>  > Green Tree Systems cc, Stellenbosch, South Africa
>  >>  > Mobile: 072-450-2817   http://www.thegreentree.za.net
>  >>  >
>  >>  > Shop online at http://www.digitalplanet.co.za/?AID=497
>  >>  >
>  >>
>  >>
>  >
>  >
>  >
>  > --
>  > Roland Giesler
>  > Green Tree Systems cc, Stellenbosch, South Africa
>  > Mobile: 072-450-2817   http://www.thegreentree.za.net
>  >
>  > Shop online at http://www.digitalplanet.co.za/?AID=497
>  >
>
>



-- 
Roland Giesler
Green Tree Systems cc, Stellenbosch, South Africa
Mobile: 072-450-2817   http://www.thegreentree.za.net

Shop online at http://www.digitalplanet.co.za/?AID=497