[ previous ] [ next ] [ threads ]
 From:  Tarun Kundhi <tkundhi at inebraska dot com>
 To:  Trevor Merrill <trevor dot merrill at gmail dot com>
 Cc:  "m0n0wall at lists dot m0n0 dot ch" <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] Help with setup
 Date:  Sun, 25 May 2008 17:08:01 -0500

Are you trying to ping the external ip from your LAN? If so I don't 
think that will work. It doesn't on 1.2x. We have a similar setup but 
we've put the external servers in a DMZ. Sorry I don't know what your 
problem is but here is how I tested/implemented our setup after failing 
to get everything working initially.

First I set up my WAN x.x.x.x /27, LAN (192.168.1.x) & DMZ 
(192.168.10.x). For firewall rules I started with 2 rules: LAN access to 
everywhere, DMZ access to everywhere except LAN, no WAN rules.

1. verify you can get to Internet from LAN
2. verify you can get to DMZ servers from LAN (via ip, if you must use a 
domain name add entries to DNS forwarder)
3. verify a DMZ server can get to the Internet
4. verify you can't get from DMZ to LAN

If you can't do all of the above then the problem is with your basic 
setup. General setup, DHCP, basic firewall or DNS. If it is working 

Now add a NAT 1:1 setting for one of the DMZ servers (Allow m0n0wall to 
create the Proxy ARP automatically for you). Next add a WAN firewall 
rule allowing external access from any ip & any port to the internal DMZ 
address of the web server for port 80 only (do same for HTTPS if 
needed). Remember it is the any source host, any source port & the 
internal ip destination & the internal ip port. Now test inbound WAN 
access from an external ip. If it works replicate configuration for the 
other servers. If it doesn't relax the WAN firewall rule to permit all 
ports from WAN to all port on internal DMZ ip. This will help you 
determine if it is your firewall rules or your NAT settings. Also make 
sure you don't have a firewall running on your server that in improperly 
configured. If you are running a firewall on the server turn it off for 

Note, I assigned my servers their internal ips by DHCP. But added static 
entries based upon their MAC address to the Service: DHCP server page. 
This way they are static but get their DNS information forwarded to them 
by m0n0wall and I'm not managing their DNS separately. I have DNS 
forwarded enabled.  I also use aliases to make firewall rule 
configuration easier.

Starting over and testing at each step may be fastest. It was for me 
when I first deployed this setup. I'm not a experience network 
administrator but was able to use this approach to set up m0n0wall with 
4 local subnets, LAN, PBX, DMZ, GUEST, plus traffic shaping and point to 
point VPN from our main office to 4 remote offices.



Trevor Merrill wrote:
> I'll be honest, I am having a hard time being specific in describing 
> my issue. It seems that DNS forwarding, firewall rules and 1:1 NAT 
> could all be culprits but I had an impossible time narrowing down the 
> problem with only a limited time in which the servers could be 
> offline. At this point it I would guess that DNS was improperly 
> configured but I can't see how. I duplicated the DNS settings that I 
> had set on the router on the servers and still nothing could resolve. 
> Additionally, I could not access my servers from the WAN side even 
> though port 80 was opened to each host.
> I do appreciate the help.
> Trevor
> On May 25, 2008, at 8:48 AM, Bruno Miayamotto wrote:
>> You have to be very specific in describing youre issue.
>> -Net
>> Sent from my iPhone
>> On May 24, 2008, at 19:08, sai <sonicsai at gmail dot com> wrote:
>>> when you say "ping failed going out to www.google.com" , how did it 
>>> fail?
>>> did the server manage to get googles ip address? what was the output?
>>> can the webservers ping each other and the firewall?
>>> sai
>>> On 5/25/08, Trevor Merrill <trevor dot merrill at gmail dot com> wrote:
>>>> I have tried twice unsuccessfully to implement Monowall in a data 
>>>> center
>>>> and I cannot for the life of me figure out what I am doing wrong. I 
>>>> have a
>>>> simliar setup running on another location but I am missing 
>>>> something. I was
>>>> hoping the community could lend a hand so the third time is a 
>>>> charm. Let me
>>>> describe the setup, i can even post the config if it goes that far.
>>>> Here is the setup:
>>>> Monowall 1.3B11 installed on a soekris 4501 - I have had success 
>>>> with this
>>>> at two other sites
>>>> Network Range:
>>>>                      WAN
>>>>                      x.x.x.32 /28
>>>>                      x.x.x.32  Network ID
>>>>                      x.x.x.33  Data Center Switch
>>>>                      x.x.x.34  My Default Gateway
>>>>                      x.x.x.35  Data Center Switch
>>>>                      x.x.x.36 through .46  My Useable IP addresses
>>>>                      x.x.x.36 - Monowall
>>>>                      x.x.x.37 - web server 1
>>>>                      x.x.x.38 - web server 2
>>>>                      x.x.x.39 - web server 3
>>>>                      x.x.x.47  Broadcast
>>>>              Subnet Mask
>>>>                      LAN:
>>>>             /24
>>>>                      DHCP - ON
>>>>                      DHCP Range -
>>>>                      DNS - have 3 servers listed in general 
>>>> settings, 2
>>>> are root DNS servers and 1 is company DNS
>>>> All 3 servers Have a one to one NAT, with reverse Proxy ARP setup
>>>> firewall rules are basic:
>>>> LAN - all ports allowed out
>>>> WAN - ports 80, and a few others in
>>>> I plugged everything in and from laptop connected via DHCP 
>>>> everything was
>>>> working great. I could ping out, browse web, etc but the servers 
>>>> could not
>>>> ping out, and pings to public addresses failed from WAN. The 
>>>> websites they
>>>> host did not come up, attempted browsing from WAN. All signs point 
>>>> to DNS
>>>> settings so I manually entered the DNS settings in the server, even 
>>>> though
>>>> the monowall should forward the DNS querys, and still nothing. The 
>>>> weird
>>>> thing is when I looked at the firewall logs it was rejecting port 
>>>> 80 traffic
>>>> from the WAN to the LAN, even though I had a rule setup allowing it 
>>>> to pass.
>>>> I spent hours trying to figure out what was going on and got more 
>>>> confused
>>>> as time went on. Here is a summary
>>>> 1. Browsing web, pinging www.google.com, checking email worked 
>>>> great with
>>>> laptop connected to LAN via DHCP
>>>> 2 Servers with static LAN IPs, ping failed going out to 
>>>> www.google.com,
>>>> with same DNS settings as DHCP client
>>>> 3. From WAN, hosted websites would not come up, port 80 allowed 
>>>> from WAN to
>>>> LAN
>>>> 4. From WAN, ping failed to public 1:1 NATted IPs, even though ICMP 
>>>> from
>>>> WAN to LAN was allowed
>>>> Any help would be appreciated, Lik I said I can post the config as 
>>>> well.
>>>> Trevor
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>>>> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> ------------------------------------------------------------------------
> No virus found in this incoming message.
> Checked by AVG. 
> Version: 8.0.100 / Virus Database: 269.24.1/1465 - Release Date: 5/25/2008 1:22 PM