[ previous ] [ next ] [ threads ]
 
 From:  "Marcel Wiget" <mwiget at gmail dot com>
 To:  "=?ISO-8859-1?Q?Yannick_Br=E9hon?=" <y dot brehon at qiplay dot com>
 Cc:  cbuechler at gmail dot com, m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Firewall not respecting rules ?!?
 Date:  Wed, 23 Jul 2008 20:51:31 +0200
Tested it with 1.3b13 with the following setup:

m0n0wall with:
- WAN Interface IP 192.168.3.90/24 (with default gw 192.168.3.2
towards Internet)
- LAN Interface IP 192.168.233.1/24

One PC on the WAN side with 192.168.3.19/24, default gateway 192.168.3.2
plus static route towards LAN 192.168.233.1/24 via 192.168.233.90 (!!!
= WAN m0n0wall)

One PC on the LAN side with IP 192.168.3.199/24, default gw
192.168.233.1 (= LAN m0n0wall)

Then Enabled Advanced Outbound NAT and added a single rule:
Interface WAN, Source=192.168.233.0/24, Destination= !192.168.3.0/24

Result:
Full Internet connectivity thru double NAT for the PC on the LAN side
and I can ping and ssh from 192.168.3.19 to 192.168.233.199

I guess all you are missing is a static route entry on your box.
Obviously if your upstream adsl router would support icmp redirects
and new about how to reach your LAN segment thru m0n0wall, you could a
static route entry in there.

Marcel





> Hi again and thanks to sai, Marcel Wiget and Chris Buechler for th
> suggestions... Sadly I am still stuck!
>
> I tried using the following rule:
> Interface       Source          Destination     Target
> WAN     192.168.128.0/17        ! 192.168.2.0/24        *
>
> this enables Internet, but not the WAN/LAN communication
>
> I also tried this rule instead:
> WAN     192.168.0.0/16  ! 192.168.0.0/16        *
> and also:
> WAN     192.168.0.0/16  *       *
> without any more success :( The response packets are still being filtered!!!
> I am using 1.3b13 by the way, but 1.3b04 was having the same symptoms...
>
> Yannick
>

>> well, the trick is to create the NAT rules in a way that they catch
>> all traffic except the ones from your box to your LAN network
>> 192.168.128.0/17.
>> If box is the only host in question here, add a NAT rule that matches
>> your LAN as the source and _not_ your box's IP address.
>>
>> Marcel
>>

>>> Well, as soon as I activate NAT service as you suggested, connectivity
>>> disappears. I tried activating NAT for destination "!192.168.0.0/16" but
>>> then my Internet disappears... This is *really* weird :(
>>> I seem to have to choose: Internet or local connectivity ...
>>>

>>>> to get NAT service, you need to add now static outbound NAT rules on
>>>> the WAN interface so that traffic with source address from your LAN is
>>>> properly NAT'd while traffic from your box to the LAN isn't.
>>>>
>>>> I use a setup with 3 interfaces: WAN, DMZ and LAN and have it set up
>>>> so that LAN traffic gets NAT'd thru WAN but not between LAN <-> DMZ.
>>>> In this case my static Outbound NAT rule is
>>>>
>>>> interface: WAN
>>>> Source: 192.168.1.0/24 (my LAN subnet)
>>>> Destination: *
>>>> Target: *
>>>>
>>>> hope this helps
>>>>

>>>>> OK, we are starting to get some motion...
>>>>> I did what you suggested, and as far as allowing cross communiication
>>>>> between LAN and WLAN, it worked! But of course now the problem is that I
>>>>> can't get on the Internet any more from behind the m0n0... (the entire
>>>>> problem comes from my DSL modem which is not a full-fledged router and
>>>>> cannot be given static routes, thus the need for m0n0 NATting when going
>>>>> outbound).
>>>>> Any further suggestions so as to get the same outcome *without* turning
>>>>> off NAT? In particular, I don't understand why incoming connections are
>>>>> let through, create a firewall state, but return packets are filtered
>>>>> (despite "all-pass" rules) ?!
>>>>>


>>>>>>
>>>>>>> OK here it is! Thanks to everyone who might help with this issue!
>>>>>> Since it seems that you don't want NAT between LAN and WAN, you need to
>>>>>> check the "Enable advanced outbound NAT" option and not define any
>>>>>> outbound NAT rules (and remove the existing inbound NAT rules as well).
>>>>>> That will effectively cause m0n0wall to become a plain (firewalling)
>>>>>> router, with no NAT at all.
>>>>>>
>>>>>> - Manuel
>>>>>> ---------------------------------------------------------------------
>>>>>> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>>>>>> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>>>>>
>>>>>>
>>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>>>>> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>>>>
>>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>>>> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>>>
>>>>
>>>>
>>
>>
>