[ previous ] [ next ] [ threads ]
 
 From:  =?ISO-8859-1?Q?Yannick_Br=E9hon?= <y dot brehon at qiplay dot com>
 To:  Marcel Wiget <mwiget at gmail dot com>, m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Firewall not respecting rules ?!?
 Date:  Thu, 24 Jul 2008 18:29:28 +0200
Amazing, I really don't understand... I have that static route setup of
course (since WAN->LAn packets arrive), and yet m0n0 filters the return.
I'll try an entirely different setup, for now, I will have to do without
WAN->LAN direct connectivity and do with some sort of inbound NAT.

Thanks again to everyone for all your help, I have appreciated the
number of responses on the list, even though it didn't work out.

Yannick


> Tested it with 1.3b13 with the following setup:
> 
> m0n0wall with:
> - WAN Interface IP 192.168.3.90/24 (with default gw 192.168.3.2
> towards Internet)
> - LAN Interface IP 192.168.233.1/24
> 
> One PC on the WAN side with 192.168.3.19/24, default gateway 192.168.3.2
> plus static route towards LAN 192.168.233.1/24 via 192.168.233.90 (!!!
> = WAN m0n0wall)
> 
> One PC on the LAN side with IP 192.168.3.199/24, default gw
> 192.168.233.1 (= LAN m0n0wall)
> 
> Then Enabled Advanced Outbound NAT and added a single rule:
> Interface WAN, Source=192.168.233.0/24, Destination= !192.168.3.0/24
> 
> Result:
> Full Internet connectivity thru double NAT for the PC on the LAN side
> and I can ping and ssh from 192.168.3.19 to 192.168.233.199
> 
> I guess all you are missing is a static route entry on your box.
> Obviously if your upstream adsl router would support icmp redirects
> and new about how to reach your LAN segment thru m0n0wall, you could a
> static route entry in there.
> 
> Marcel
> 
> 
> 
> 

>> Hi again and thanks to sai, Marcel Wiget and Chris Buechler for th
>> suggestions... Sadly I am still stuck!
>>
>> I tried using the following rule:
>> Interface       Source          Destination     Target
>> WAN     192.168.128.0/17        ! 192.168.2.0/24        *
>>
>> this enables Internet, but not the WAN/LAN communication
>>
>> I also tried this rule instead:
>> WAN     192.168.0.0/16  ! 192.168.0.0/16        *
>> and also:
>> WAN     192.168.0.0/16  *       *
>> without any more success :( The response packets are still being filtered!!!
>> I am using 1.3b13 by the way, but 1.3b04 was having the same symptoms...
>>
>> Yannick
>>

>>> well, the trick is to create the NAT rules in a way that they catch
>>> all traffic except the ones from your box to your LAN network
>>> 192.168.128.0/17.
>>> If box is the only host in question here, add a NAT rule that matches
>>> your LAN as the source and _not_ your box's IP address.
>>>
>>> Marcel
>>>

>>>> Well, as soon as I activate NAT service as you suggested, connectivity
>>>> disappears. I tried activating NAT for destination "!192.168.0.0/16" but
>>>> then my Internet disappears... This is *really* weird :(
>>>> I seem to have to choose: Internet or local connectivity ...
>>>>

>>>>> to get NAT service, you need to add now static outbound NAT rules on
>>>>> the WAN interface so that traffic with source address from your LAN is
>>>>> properly NAT'd while traffic from your box to the LAN isn't.
>>>>>
>>>>> I use a setup with 3 interfaces: WAN, DMZ and LAN and have it set up
>>>>> so that LAN traffic gets NAT'd thru WAN but not between LAN <-> DMZ.
>>>>> In this case my static Outbound NAT rule is
>>>>>
>>>>> interface: WAN
>>>>> Source: 192.168.1.0/24 (my LAN subnet)
>>>>> Destination: *
>>>>> Target: *
>>>>>
>>>>> hope this helps
>>>>>

>>>>>> OK, we are starting to get some motion...
>>>>>> I did what you suggested, and as far as allowing cross communiication
>>>>>> between LAN and WLAN, it worked! But of course now the problem is that I
>>>>>> can't get on the Internet any more from behind the m0n0... (the entire
>>>>>> problem comes from my DSL modem which is not a full-fledged router and
>>>>>> cannot be given static routes, thus the need for m0n0 NATting when going
>>>>>> outbound).
>>>>>> Any further suggestions so as to get the same outcome *without* turning
>>>>>> off NAT? In particular, I don't understand why incoming connections are
>>>>>> let through, create a firewall state, but return packets are filtered
>>>>>> (despite "all-pass" rules) ?!
>>>>>>


>>>>>>>
>>>>>>>> OK here it is! Thanks to everyone who might help with this issue!
>>>>>>> Since it seems that you don't want NAT between LAN and WAN, you need to
>>>>>>> check the "Enable advanced outbound NAT" option and not define any
>>>>>>> outbound NAT rules (and remove the existing inbound NAT rules as well).
>>>>>>> That will effectively cause m0n0wall to become a plain (firewalling)
>>>>>>> router, with no NAT at all.
>>>>>>>
>>>>>>> - Manuel
>>>>>>> ---------------------------------------------------------------------
>>>>>>> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>>>>>>> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> ---------------------------------------------------------------------
>>>>>> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>>>>>> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>>>>>
>>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>>>>> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>>>>
>>>>>
>>>>>
>>>
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> 
> 
>