On Sun, Jun 1, 2008 at 10:14 PM, Mark Rinaudo
<mark at preferreddatasolutions dot com> wrote:
> Well here goes my issue. I've searched through the mailing list archives but I haven't found
anything quite like my setup.
> Here's a diagram of what I'm talking about
> OPT4 (10.10.10.1 vlan*) <---------------------------------> Wan (10.10.10.2)
Lan ( *.*.*.*/27)
> I had a customer that wanted to run his own router/firewall for his own /27 of public IP's.
> Now I only have a /24 so in order to route to him a /27 without using anymore public IP's up, I
setup an opt interface on the LAN interface with a private address and had the customer setup a
corresponding address so that his router could talk to the interface on M0n0wall. Well after
getting everything setup incoming worked like a charm. I could access his router's public ip which
fell on the Lan side of his router and I could access his /27 going through the m0n0wall and the
customer's router. However outgoing access from one of the customers servers sitting on the /27
would not work. I put a rule on the opt interface to allow everything through but for some reason
m0n0wall was still blocking the traffic which was seen in the logs. So i went to the status.php
> and took a look at the rules that were running and found something very interesting. I guess at
some point m0n0wall put an allow for all traffic for the 10.10.10.0/24 network since that was the
subnet for that OPT interface and then it denied everything else. Now I did see in the FAQ about
disabling NAT which I did but this was a firewall issue because i could see that it was blocking it.
I'm thinking the problem stems from M0n0wall only expecting traffic from the subnet 10.10.10.0/24
and not from any other network and especially not from a public /27.
Sounds like you're missing a static route on that interface. Static
routes open the antispoofing rules. Add one and it will let that