[ previous ] [ next ] [ threads ]
 
 From:  "Roland Giesler" <roland at thegreentree dot za dot net>
 To:  monowall <m0n0wall at lists dot m0n0 dot ch>
 Cc:  "Kristian Shaw" <monowall at wealdclose dot co dot uk>
 Subject:  Re: [m0n0wall] Using multiple Ip's on WAN port (Server NAT)
 Date:  Tue, 26 Feb 2008 13:04:53 +0200
On Mon, Feb 25, 2008 at 11:00 PM, Kristian Shaw
<monowall at wealdclose dot co dot uk> wrote:
>  In you want to use server NAT, ping won't work as there is no NAT
>  destination for ICMP traffic. However, TCP/UDP NAT'd connections should
>  still work OK.
Help me if I understand this wrongly please:  If I have added a Server
NAT address x.x.193.203 and I set up an inbound NAT rule that forwards
traffic for port 443 to a webserver (for example), and I have a rule
on by WAN port that allows traffic on port 443 destined to the machine
I'm forwarding the traffic to, then I should be able to reach that
machine for the internet, not so?

I just went and tested it again, and guess what?  https://x.x.193.203
to the test site works fine.  However, pinging the site does not,
although I have a rule that allows pings and a NAT that forwards pings
to the same server.

Now I went and checked to see if I have a rule that forwards ICMP
packets to the host I want to respond when I ping the Server NAT
address: x.x.193.203, but it seems one cannot add a rule that NAT's
pings?  Is that by ICMP design, undesirable or why can this not be
done?

How would I be able to set up Server NAT address so they can be pinged
for the internet, and have various services running on ports that I
forward to?  (As in my example I want a secure website that I can ping
via M0n0wall.  Or an SSH host that I can ping and SSH into via
M0n0wall.)

thanks again

Roland

>
>  Remember you can use 1:1 NAT for individual machines if you have enough
>  public addresses, and then just NAT all the other machines in your network
>  using the "advanced outbound NAT" rules.
>
>  Kris.
>
>  ----- Original Message -----
>  From: "Roland Giesler" <roland at thegreentree dot za dot net>
>  To: "Kristian Shaw" <monowall at wealdclose dot co dot uk>
>  Sent: Monday, February 25, 2008 10:05 AM
>  Subject: {Spam?} Re: [m0n0wall] Re: {Spam?} [m0n0wall] Using multiple Ip's
>  on WAN port (Server NAT)
>
>
>  > On Fri, Feb 22, 2008 at 9:22 PM, Kristian Shaw
>  > <monowall at wealdclose dot co dot uk> wrote:
>  >> Hello,
>  >>
>  >>  It looks like you should be using 1:1 NAT, if you would like assign
>  >> public
>  >>  addresses to machines behind the firewall with private addresses.
>  > But I don't want to do that.  I just want multiple IP addresses on the
>  > WAN card to respond to various types of traffic.  And one may be
>  > NAT'ed to some other machine (a web server for example) while another
>  > maybe forwarding port 3389 to my desktop machines RDP port.  1:1 NAT
>  > means I have to set up each NAT config for each machine, not so?, in
>  > other word no automatic NATting for all the client on the network.
>  >
>  > Or am I missing something here?
>  >
>  > regards
>  >
>  > Roland
>  >
>  >>
>  >>  Kris.
>  >>
>  >>  ----- Original Message -----
>  >>  From: "Roland Giesler" <roland at thegreentree dot za dot net>
>  >>  To: "monowall" <m0n0wall at lists dot m0n0 dot ch>
>  >>  Sent: Friday, February 22, 2008 4:44 PM
>  >>  Subject: {Spam?} [m0n0wall] Using multiple Ip's on WAN port (Server NAT)
>  >>
>  >>
>  >>  > Hi all,
>  >>  >
>  >>  > I'm sure this was working before (on other client sites), but I cannot
>  >>  > get this going again.
>  >>  >
>  >>  > All I want to do is add a subnet (/29) to the WAN port so I can use
>  >>  > all the addresses that my ISP gives me.
>  >>  >
>  >>  > I have allowed ICMP traffic to all these addresses with a rule.
>  >>  >
>  >>  > ICMP * * x.x.193.200/29 *
>  >>  >
>  >>  > And I have added a server NAT entry
>  >>  >
>  >>  > External IP address Description
>  >>  >
>  >>  > x.x.193.203
>  >>  >
>  >>  > In my fw log I see
>  >>  >
>  >>  > OK   18:36:47.202983  WAN  88.198.39.133  x.x.193.203, type echo/0
>  >> ICMP
>  >>  >
>  >>  > and it has a green arrow showing the traffic was allowed.
>  >>  >
>  >>  > Yet the site I ping from says:
>  >>  >
>  >>  > PING x.x.193.203 (41.206.193.203) 56(84) bytes of data.
>  >>  > From x.x.193.202: icmp_seq=3 Destination Host Unreachable
>  >>  > From x.x.193.202 icmp_seq=3 Destination Host Unreachable
>  >>  > From x.x.193.202 icmp_seq=4 Destination Host Unreachable
>  >>  >
>  >>  > --- 41.206.193.203 ping statistics ---
>  >>  > 4 packets transmitted, 0 received, +3 errors, 100% packet loss, time
>  >>  > 2998ms
>  >>  >
>  >>  > The address that replies with the "destination host Unreachable" is
>  >>  > the WAN port IP.
>  >>  >
>  >>  > Why is this happening?  It worked perfectly before at other sites, but
>  >>  > I can't find the error here.
>  >>  >
>  >>  > This should not be difficult, or should it?
>  >>  >
>  >>  > regards
>  >>  >
>  >>  > --
>  >>  > Roland Giesler
>  >>  > Green Tree Systems cc, Stellenbosch, South Africa
>  >>  > Mobile: 072-450-2817 http://www.thegreentree.za.net
>  >>  >
>  >>  > Shop online at http://www.digitalplanet.co.za/?AID=497
>  >>  >
>  >>  > ---------------------------------------------------------------------
>  >>  > To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>  >>  > For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>  >>  >
>  >>  >
>  >>
>  >>
>  >>  ---------------------------------------------------------------------
>  >>  To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>  >>  For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>  >>
>  >>
>  >
>  >
>  >
>  > --
>  > Roland Giesler
>  > Green Tree Systems cc, Stellenbosch, South Africa
>  > Mobile: 072-450-2817   http://www.thegreentree.za.net
>  >
>  > Shop online at http://www.digitalplanet.co.za/?AID=497
>  >
>
>



-- 
Roland Giesler
Green Tree Systems cc, Stellenbosch, South Africa
Mobile: 072-450-2817   http://www.thegreentree.za.net

Shop online at http://www.digitalplanet.co.za/?AID=497