[ previous ] [ next ] [ threads ]
 From:  David Burgess <apt dot get at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] NAT - port forwarding from the non-WAN subnet
 Date:  Sat, 6 Jun 2009 11:34:21 -0600
On Sat, Jun 6, 2009 at 8:07 AM, Lyle Giese<lyle at lcrcomputer dot net> wrote:
> David Burgess wrote:
>> On Fri, Jun 5, 2009 at 8:31 PM, Lyle Giese<lyle at lcrcomputer dot net> wrote:
>>> David Burgess wrote:
>>> On Thu, Jun 4, 2009 at 8:45 PM, Lyle Giese <lyle at lcrcomputer dot net> wrote:
>>> I have an unusual setup and trying to figure it out.  I have a working
>>> system on a full Linux system using IPTables.
>>> I am trying to make the config work on a Soekris NET4801.  I have most
>>> of it figured out, but hit one block.
>>> I have a small hosting operation here.  I have two T1's coming in with a
>>> Class C subnet assigned to it.  I have a private IP subnet for the
>>> office and home PC's with a DSL connection for their Internet
>>> bandwidth.  I did not want the office/home PC's to use any of the T1
>>> bandwidth, reserving that bandwidth for our paying customers.
>>> I built a machine using IPTables so that the private subnet uses the DSL
>>> for Internet via NAT.  While still having direct access to the public IP
>>> servers without going to the Internet.  I have a printer on the private
>>> subnet.  With IPTables, I was able to forward ports 515 and 9100 to the
>>> printer(HP LJ ip), so I could print config files from the hosting servers.
>>> On the Soekris NET4801, I have the DSL(sis0) and private subnet(sis1)
>>> setup along with access to the hosting subnet(sis2).  I have NAT working
>>> between the private subnet and the other two subnets.  But I can not
>>> seem to get forwarding of ports 515 and 9100 working from the hosting
>>> subnet(sis2 to sis1).
>>> It would appear that the Soekris does try to forward the packets hitting
>>> it's port 515 and 9100:
>>> Jun  4 19:57:18 <router ip> ipmon[89]: 19:57:18.086181 sis2 @300:1 p
>>> <hosting ip>,49916 -> <HP LJ ip>,515 PR tcp len 20 60 -S K-S IN
>>> Jun  4 19:57:44 <router ip> ipmon[89]: 19:57:43.987645 sis2 @300:1 p
>>> <hosting ip>,50432 -> <HP LJ ip>,515 PR tcp len 20 60 -S K-S IN
>>> Jun  4 20:02:17 <router ip> ipmon[89]: 20:02:17.377468 sis2 @300:1 p
>>> <hosting ip>,50514 -> <HP LJ ip>,515 PR tcp len 20 60 -S K-S IN
>>> Jun  4 20:06:35 <router ip> ipmon[89]: 20:06:35.418212 sis2 @300:1 p
>>> <hosting ip>,44627 -> <HP LJ ip>,515 PR tcp len 20 60 -S K-S IN
>>> Jun  4 20:09:21 <router ip> ipmon[89]: 20:09:20.795669 sis2 @300:1 p
>>> <hosting ip>,49848 -> <HP LJ ip>,515 PR tcp len 20 60 -S K-S IN
>>> But I don't get any response back.  At this point I am not 100% certain
>>> where the issue is and how to correct it.  Nothing I have tried seems to
>>> work.  I have the DSL on SIS0, the private subnet on SIS1 and the
>>> hosting subnet on SIS2.  The hosting subnet does not use the DSL, I only
>>> want access to the printer on the private subnet.
>>> It almost seems that the port forwarding from sis2(hosting) to sis1(LAN)
>>> does not work.  It appears to work only from the WAN(sis0) port to the
>>> private subnet.
>>> Any suggestions?
>>> Normally you wouldn't use NAT between two LANs, so port-forwarding, or
>>> masquerading is moot. If your router is aware of the subnet on sis1
>>> and that on sis2, then packets should naturally flow between the two
>>> without translation, assuming you have allowed traffic sis1<>sis2 in
>>> iptables. Unless your sis2 machines are trying to reach sis1 machines
>>> via the WAN (sis0) adress, in which case it would probably be simpler
>>> to add entries in your host files for local machines so trans-LAN DNS
>>> queries are redirected to local addresses. Or use a DNS proxy that
>>> will reference host entries on your router and keep an entry for the
>>> LJ IP in there.
>>> db
>>> I wish it was that simple!  Right now, I can ping the printer from hosts on
>>> the public subnet, but can not telnet to it or send print jobs to either lpr
>>> or port 9100.
>>> Jun  5 21:13:52 <soekris> ipmon[89]: 21:13:52.212749 sis2 @0:13 b <Public
>>> Host>,1023 -> <HP LJ>,515 PR tcp len 20 64 -A IN
>>> Jun  5 21:13:57 <soekris> ipmon[89]: 21:13:56.910694 sis2 @0:13 b <Public
>>> Host>,1023 -> <HP LJ>,515 PR tcp len 20 61 -AP IN
>>> Jun  5 21:14:16 <soekris> ipmon[89]: 21:14:16.457471 sis2 @0:13 b <Public
>>> Host>,1023 -> <HP LJ>,515 PR tcp len 20 64 -A IN
>>> Jun  5 21:14:23 <soekris> ipmon[89]: 21:14:23.025435 sis2 @0:13 b <Public
>>> Host>,1023 -> <HP LJ>,515 PR tcp len 20 61 -AP IN
>> sis1 and sis2 aren't on the same subnet, are they?
>> Let's have a look at your routing table (go to exec.php and do
>> "netstat -r"). If you're using NAT then there shouldn't be any
>> security issue with posting actual IP addresses that aren't on WAN.
>> db
> Here's the numerical version. I guess if I am doing things right, there
> are no security issues<GRIN>!
>> $ netstat -rn
>> Routing tables
>> Internet:
>> Destination        Gateway            Flags    Refs      Use  Netif Expire
>> default         UGSc        1     3510    ng0
>>          UH          0        0    lo0
>> 192.168.250        link#2             UC         12        0   sis1
>>      00:e0:4c:03:55:3a  UHLW        0      296   sis1    561
>>      UH          1        0    ng0
>>      lo0                UHS         0        0    lo0
>> 209.172.152        link#3             UC          6        0   sis2
>>      00:08:e3:13:5c:00  UHLW        0       18   sis2   1176
>>    00:e0:81:25:ba:4f  UHLW        0        2   sis2   1087
> On the private net, I have an allow rule for all proto types from the
> public subnet and on the public subnet to allow all traffic from the
> private subnet.  I added a rule on the Cisco router connected to the
> T1's to forward 192.168.250 to the public ip address of the Soekris on sis2.
> Still I can ping and traceroute from the two subnets through the
> Soekris, but it would appear that tcp or udp packets don't make it
> through intact.  While I had this unit online with the DSL, I tried to
> ssh into the name server I have on the private net(port forwarded ssh
> from the WAN to the name server)  and from a BSD host, I got a bad
> packet error.  But I could use dig via  UDP to query the name server.
> And outbound traffic to the Internet looked normal and I was able to
> connect via a VPN to a remote office.

I'm not sure I get what you're doing. ng0 is connected to a DSL modem
with a public IP and sis2 is connected to T1 lines with another public
IP? m0n0wall doesn't do multiWAN, so if that's what you're attempting
then that would explain the problem. Linux, as you know, will do it,
and so will pfsense (a more fully-featured m0n0wall derivative).