[ previous ] [ next ] [ threads ]
 From:  David Burgess <apt dot get at gmail dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] NAT - port forwarding from the non-WAN subnet
 Date:  Fri, 5 Jun 2009 20:48:05 -0600
On Fri, Jun 5, 2009 at 8:31 PM, Lyle Giese<lyle at lcrcomputer dot net> wrote:
> David Burgess wrote:
> On Thu, Jun 4, 2009 at 8:45 PM, Lyle Giese <lyle at lcrcomputer dot net> wrote:
> I have an unusual setup and trying to figure it out.  I have a working
> system on a full Linux system using IPTables.
> I am trying to make the config work on a Soekris NET4801.  I have most
> of it figured out, but hit one block.
> I have a small hosting operation here.  I have two T1's coming in with a
> Class C subnet assigned to it.  I have a private IP subnet for the
> office and home PC's with a DSL connection for their Internet
> bandwidth.  I did not want the office/home PC's to use any of the T1
> bandwidth, reserving that bandwidth for our paying customers.
> I built a machine using IPTables so that the private subnet uses the DSL
> for Internet via NAT.  While still having direct access to the public IP
> servers without going to the Internet.  I have a printer on the private
> subnet.  With IPTables, I was able to forward ports 515 and 9100 to the
> printer(HP LJ ip), so I could print config files from the hosting servers.
> On the Soekris NET4801, I have the DSL(sis0) and private subnet(sis1)
> setup along with access to the hosting subnet(sis2).  I have NAT working
> between the private subnet and the other two subnets.  But I can not
> seem to get forwarding of ports 515 and 9100 working from the hosting
> subnet(sis2 to sis1).
> It would appear that the Soekris does try to forward the packets hitting
> it's port 515 and 9100:
> Jun  4 19:57:18 <router ip> ipmon[89]: 19:57:18.086181 sis2 @300:1 p
> <hosting ip>,49916 -> <HP LJ ip>,515 PR tcp len 20 60 -S K-S IN
> Jun  4 19:57:44 <router ip> ipmon[89]: 19:57:43.987645 sis2 @300:1 p
> <hosting ip>,50432 -> <HP LJ ip>,515 PR tcp len 20 60 -S K-S IN
> Jun  4 20:02:17 <router ip> ipmon[89]: 20:02:17.377468 sis2 @300:1 p
> <hosting ip>,50514 -> <HP LJ ip>,515 PR tcp len 20 60 -S K-S IN
> Jun  4 20:06:35 <router ip> ipmon[89]: 20:06:35.418212 sis2 @300:1 p
> <hosting ip>,44627 -> <HP LJ ip>,515 PR tcp len 20 60 -S K-S IN
> Jun  4 20:09:21 <router ip> ipmon[89]: 20:09:20.795669 sis2 @300:1 p
> <hosting ip>,49848 -> <HP LJ ip>,515 PR tcp len 20 60 -S K-S IN
> But I don't get any response back.  At this point I am not 100% certain
> where the issue is and how to correct it.  Nothing I have tried seems to
> work.  I have the DSL on SIS0, the private subnet on SIS1 and the
> hosting subnet on SIS2.  The hosting subnet does not use the DSL, I only
> want access to the printer on the private subnet.
> It almost seems that the port forwarding from sis2(hosting) to sis1(LAN)
> does not work.  It appears to work only from the WAN(sis0) port to the
> private subnet.
> Any suggestions?
> Normally you wouldn't use NAT between two LANs, so port-forwarding, or
> masquerading is moot. If your router is aware of the subnet on sis1
> and that on sis2, then packets should naturally flow between the two
> without translation, assuming you have allowed traffic sis1<>sis2 in
> iptables. Unless your sis2 machines are trying to reach sis1 machines
> via the WAN (sis0) adress, in which case it would probably be simpler
> to add entries in your host files for local machines so trans-LAN DNS
> queries are redirected to local addresses. Or use a DNS proxy that
> will reference host entries on your router and keep an entry for the
> LJ IP in there.
> db
> I wish it was that simple!  Right now, I can ping the printer from hosts on
> the public subnet, but can not telnet to it or send print jobs to either lpr
> or port 9100.
> Jun  5 21:13:52 <soekris> ipmon[89]: 21:13:52.212749 sis2 @0:13 b <Public
> Host>,1023 -> <HP LJ>,515 PR tcp len 20 64 -A IN
> Jun  5 21:13:57 <soekris> ipmon[89]: 21:13:56.910694 sis2 @0:13 b <Public
> Host>,1023 -> <HP LJ>,515 PR tcp len 20 61 -AP IN
> Jun  5 21:14:16 <soekris> ipmon[89]: 21:14:16.457471 sis2 @0:13 b <Public
> Host>,1023 -> <HP LJ>,515 PR tcp len 20 64 -A IN
> Jun  5 21:14:23 <soekris> ipmon[89]: 21:14:23.025435 sis2 @0:13 b <Public
> Host>,1023 -> <HP LJ>,515 PR tcp len 20 61 -AP IN

sis1 and sis2 aren't on the same subnet, are they?

Let's have a look at your routing table (go to exec.php and do
"netstat -r"). If you're using NAT then there shouldn't be any
security issue with posting actual IP addresses that aren't on WAN.