|
||||||||||
On Sun, Jun 1, 2008 at 10:14 PM, Mark Rinaudo <mark at preferreddatasolutions dot com> wrote: > Well here goes my issue. I've searched through the mailing list archives but I haven't found anything quite like my setup. > > Here's a diagram of what I'm talking about > > > Wan > m0n0wall > Lan > OPT4 (10.10.10.1 vlan*) <---------------------------------> Wan (10.10.10.2) > [Customer's Router/Firewall] > Lan ( *.*.*.*/27) > > I had a customer that wanted to run his own router/firewall for his own /27 of public IP's. > Now I only have a /24 so in order to route to him a /27 without using anymore public IP's up, I setup an opt interface on the LAN interface with a private address and had the customer setup a corresponding address so that his router could talk to the interface on M0n0wall. Well after getting everything setup incoming worked like a charm. I could access his router's public ip which fell on the Lan side of his router and I could access his /27 going through the m0n0wall and the customer's router. However outgoing access from one of the customers servers sitting on the /27 would not work. I put a rule on the opt interface to allow everything through but for some reason m0n0wall was still blocking the traffic which was seen in the logs. So i went to the status.php page > and took a look at the rules that were running and found something very interesting. I guess at some point m0n0wall put an allow for all traffic for the 10.10.10.0/24 network since that was the subnet for that OPT interface and then it denied everything else. Now I did see in the FAQ about disabling NAT which I did but this was a firewall issue because i could see that it was blocking it. I'm thinking the problem stems from M0n0wall only expecting traffic from the subnet 10.10.10.0/24 and not from any other network and especially not from a public /27. Sounds like you're missing a static route on that interface. Static routes open the antispoofing rules. Add one and it will let that subnet through. -Chris |