[ previous ] [ next ] [ threads ]
 
 From:  Lyle Giese <lyle at lcrcomputer dot net>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] NAT - port forwarding from the non-WAN subnet
 Date:  Sat, 06 Jun 2009 09:07:38 -0500
David Burgess wrote:
> On Fri, Jun 5, 2009 at 8:31 PM, Lyle Giese<lyle at lcrcomputer dot net> wrote:
>   
>> David Burgess wrote:
>>
>> On Thu, Jun 4, 2009 at 8:45 PM, Lyle Giese <lyle at lcrcomputer dot net> wrote:
>>
>>
>> I have an unusual setup and trying to figure it out.  I have a working
>> system on a full Linux system using IPTables.
>>
>> I am trying to make the config work on a Soekris NET4801.  I have most
>> of it figured out, but hit one block.
>>
>> I have a small hosting operation here.  I have two T1's coming in with a
>> Class C subnet assigned to it.  I have a private IP subnet for the
>> office and home PC's with a DSL connection for their Internet
>> bandwidth.  I did not want the office/home PC's to use any of the T1
>> bandwidth, reserving that bandwidth for our paying customers.
>>
>> I built a machine using IPTables so that the private subnet uses the DSL
>> for Internet via NAT.  While still having direct access to the public IP
>> servers without going to the Internet.  I have a printer on the private
>> subnet.  With IPTables, I was able to forward ports 515 and 9100 to the
>> printer(HP LJ ip), so I could print config files from the hosting servers.
>>
>> On the Soekris NET4801, I have the DSL(sis0) and private subnet(sis1)
>> setup along with access to the hosting subnet(sis2).  I have NAT working
>> between the private subnet and the other two subnets.  But I can not
>> seem to get forwarding of ports 515 and 9100 working from the hosting
>> subnet(sis2 to sis1).
>>
>> It would appear that the Soekris does try to forward the packets hitting
>> it's port 515 and 9100:
>>
>> Jun  4 19:57:18 <router ip> ipmon[89]: 19:57:18.086181 sis2 @300:1 p
>> <hosting ip>,49916 -> <HP LJ ip>,515 PR tcp len 20 60 -S K-S IN
>> Jun  4 19:57:44 <router ip> ipmon[89]: 19:57:43.987645 sis2 @300:1 p
>> <hosting ip>,50432 -> <HP LJ ip>,515 PR tcp len 20 60 -S K-S IN
>> Jun  4 20:02:17 <router ip> ipmon[89]: 20:02:17.377468 sis2 @300:1 p
>> <hosting ip>,50514 -> <HP LJ ip>,515 PR tcp len 20 60 -S K-S IN
>> Jun  4 20:06:35 <router ip> ipmon[89]: 20:06:35.418212 sis2 @300:1 p
>> <hosting ip>,44627 -> <HP LJ ip>,515 PR tcp len 20 60 -S K-S IN
>> Jun  4 20:09:21 <router ip> ipmon[89]: 20:09:20.795669 sis2 @300:1 p
>> <hosting ip>,49848 -> <HP LJ ip>,515 PR tcp len 20 60 -S K-S IN
>>
>> But I don't get any response back.  At this point I am not 100% certain
>> where the issue is and how to correct it.  Nothing I have tried seems to
>> work.  I have the DSL on SIS0, the private subnet on SIS1 and the
>> hosting subnet on SIS2.  The hosting subnet does not use the DSL, I only
>> want access to the printer on the private subnet.
>>
>> It almost seems that the port forwarding from sis2(hosting) to sis1(LAN)
>> does not work.  It appears to work only from the WAN(sis0) port to the
>> private subnet.
>>
>> Any suggestions?
>>
>>
>> Normally you wouldn't use NAT between two LANs, so port-forwarding, or
>> masquerading is moot. If your router is aware of the subnet on sis1
>> and that on sis2, then packets should naturally flow between the two
>> without translation, assuming you have allowed traffic sis1<>sis2 in
>> iptables. Unless your sis2 machines are trying to reach sis1 machines
>> via the WAN (sis0) adress, in which case it would probably be simpler
>> to add entries in your host files for local machines so trans-LAN DNS
>> queries are redirected to local addresses. Or use a DNS proxy that
>> will reference host entries on your router and keep an entry for the
>> LJ IP in there.
>>
>> db
>>
>>
>>
>> I wish it was that simple!  Right now, I can ping the printer from hosts on
>> the public subnet, but can not telnet to it or send print jobs to either lpr
>> or port 9100.
>>
>> Jun  5 21:13:52 <soekris> ipmon[89]: 21:13:52.212749 sis2 @0:13 b <Public
>> Host>,1023 -> <HP LJ>,515 PR tcp len 20 64 -A IN
>> Jun  5 21:13:57 <soekris> ipmon[89]: 21:13:56.910694 sis2 @0:13 b <Public
>> Host>,1023 -> <HP LJ>,515 PR tcp len 20 61 -AP IN
>> Jun  5 21:14:16 <soekris> ipmon[89]: 21:14:16.457471 sis2 @0:13 b <Public
>> Host>,1023 -> <HP LJ>,515 PR tcp len 20 64 -A IN
>> Jun  5 21:14:23 <soekris> ipmon[89]: 21:14:23.025435 sis2 @0:13 b <Public
>> Host>,1023 -> <HP LJ>,515 PR tcp len 20 61 -AP IN
>>     
>
> sis1 and sis2 aren't on the same subnet, are they?
>
> Let's have a look at your routing table (go to exec.php and do
> "netstat -r"). If you're using NAT then there shouldn't be any
> security issue with posting actual IP addresses that aren't on WAN.
>
> db
>   
Here's the numerical version. I guess if I am doing things right, there
are no security issues<GRIN>!
> $ netstat -rn
> Routing tables
>
> Internet:
> Destination        Gateway            Flags    Refs      Use  Netif Expire
> default            209.112.68.1       UGSc        1     3510    ng0
> 127.0.0.1          127.0.0.1          UH          0        0    lo0
> 192.168.250        link#2             UC         12        0   sis1
> 192.168.250.4      00:e0:4c:03:55:3a  UHLW        0      296   sis1    561
> 209.112.68.1       209.112.71.50      UH          1        0    ng0
> 209.112.71.50      lo0                UHS         0        0    lo0
> 209.172.152        link#3             UC          6        0   sis2
> 209.172.152.1      00:08:e3:13:5c:00  UHLW        0       18   sis2   1176
> 209.172.152.239    00:e0:81:25:ba:4f  UHLW        0        2   sis2   1087
>
>   
On the private net, I have an allow rule for all proto types from the
public subnet and on the public subnet to allow all traffic from the
private subnet.  I added a rule on the Cisco router connected to the
T1's to forward 192.168.250 to the public ip address of the Soekris on sis2.

Still I can ping and traceroute from the two subnets through the
Soekris, but it would appear that tcp or udp packets don't make it
through intact.  While I had this unit online with the DSL, I tried to
ssh into the name server I have on the private net(port forwarded ssh
from the WAN to the name server)  and from a BSD host, I got a bad
packet error.  But I could use dig via  UDP to query the name server. 
And outbound traffic to the Internet looked normal and I was able to
connect via a VPN to a remote office.

Lyle