[ previous ] [ next ] [ threads ]
 From:  "Chris Buechler" <cbuechler at gmail dot com>
 To:  "Mark Rinaudo" <mark at preferreddatasolutions dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Configuration / Limitation of m0n0wall
 Date:  Sun, 1 Jun 2008 22:18:35 -0400
On Sun, Jun 1, 2008 at 10:14 PM, Mark Rinaudo
<mark at preferreddatasolutions dot com> wrote:
> Well here goes my issue. I've searched through the mailing list archives but I haven't found
anything quite like my setup.
> Here's a diagram of what I'm talking about
>                Wan
> m0n0wall
>                Lan
>                OPT4 ( vlan*) <---------------------------------> Wan (
               [Customer's Router/Firewall]
                                                          Lan ( *.*.*.*/27)
> I had a customer that wanted to run his own router/firewall for his own /27 of public IP's.
> Now I only have a /24 so in order to route to him a /27 without using anymore public IP's up, I
setup an opt interface on the LAN interface with a private address and had the customer setup a
corresponding address so that his router could talk to the interface on M0n0wall.  Well after
getting everything setup incoming worked like a charm. I could access his router's public ip which
fell on the Lan side of his router and I could access his /27 going through the m0n0wall and the
customer's router.  However outgoing access from one of the customers servers sitting on the /27
would not work. I put a rule on the opt interface to allow everything through but for some reason
m0n0wall was still blocking the traffic which was seen in the logs.  So i went to the status.php
> and took a look at the rules that were running and found something very interesting.  I guess at
some point m0n0wall put an allow for all traffic for the network since that was the
subnet for that OPT interface and then it denied everything else.  Now I did see in the FAQ about
disabling NAT which I did but this was a firewall issue because i could see that it was blocking it.
 I'm thinking the problem stems from M0n0wall only expecting traffic from the subnet
and not from any other network and especially not from a public /27.

Sounds like you're missing a static route on that interface. Static
routes open the antispoofing rules. Add one and it will let that
subnet through.