[ previous ] [ next ] [ threads ]
 
 From:  "Mark Rinaudo" <mark at preferreddatasolutions dot com>
 To:  "Chris Buechler" <cbuechler at gmail dot com>
 Cc:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] Configuration / Limitation of m0n0wall
 Date:  Sun, 1 Jun 2008 21:33:27 -0500
Yep that was it. I had the route setup on the Wan interface. Went back and 
selected my OPT4 interface and voila it worked.
Thanks for the help.

Mark

----- Original Message ----- 
From: "Chris Buechler" <cbuechler at gmail dot com>
To: "Mark Rinaudo" <mark at preferreddatasolutions dot com>
Cc: <m0n0wall at lists dot m0n0 dot ch>
Sent: Sunday, June 01, 2008 9:18 PM
Subject: Re: [m0n0wall] Configuration / Limitation of m0n0wall


> On Sun, Jun 1, 2008 at 10:14 PM, Mark Rinaudo
> <mark at preferreddatasolutions dot com> wrote:
>> Well here goes my issue. I've searched through the mailing list archives 
>> but I haven't found anything quite like my setup.
>>
>> Here's a diagram of what I'm talking about
>>
>>
>>                Wan
>> m0n0wall
>>                Lan
>>                OPT4 (10.10.10.1 vlan*) 
>> <---------------------------------> Wan (10.10.10.2)
>> 
>> [Customer's Router/Firewall]
>> 
>> Lan ( *.*.*.*/27)
>>
>> I had a customer that wanted to run his own router/firewall for his own 
>> /27 of public IP's.
>> Now I only have a /24 so in order to route to him a /27 without using 
>> anymore public IP's up, I setup an opt interface on the LAN interface 
>> with a private address and had the customer setup a corresponding address 
>> so that his router could talk to the interface on M0n0wall.  Well after 
>> getting everything setup incoming worked like a charm. I could access his 
>> router's public ip which fell on the Lan side of his router and I could 
>> access his /27 going through the m0n0wall and the customer's router. 
>> However outgoing access from one of the customers servers sitting on the 
>> /27 would not work. I put a rule on the opt interface to allow everything 
>> through but for some reason m0n0wall was still blocking the traffic which 
>> was seen in the logs.  So i went to the status.php page
>> and took a look at the rules that were running and found something very 
>> interesting.  I guess at some point m0n0wall put an allow for all traffic 
>> for the 10.10.10.0/24 network since that was the subnet for that OPT 
>> interface and then it denied everything else.  Now I did see in the FAQ 
>> about disabling NAT which I did but this was a firewall issue because i 
>> could see that it was blocking it.  I'm thinking the problem stems from 
>> M0n0wall only expecting traffic from the subnet 10.10.10.0/24 and not 
>> from any other network and especially not from a public /27.
>
>
> Sounds like you're missing a static route on that interface. Static
> routes open the antispoofing rules. Add one and it will let that
> subnet through.
>
> -Chris
>