Re: [m0n0wall] NAT - port forwarding from the non-WAN subnet

From:	Lyle Giese <lyle at lcrcomputer dot net>
To:	m0n0wall at lists dot m0n0 dot ch
Subject:	Re: [m0n0wall] NAT - port forwarding from the non-WAN subnet
Date:	Sat, 06 Jun 2009 12:55:57 -0500
David Burgess wrote:
> On Sat, Jun 6, 2009 at 8:07 AM, Lyle Giese<lyle at lcrcomputer dot net> wrote:
>   
>> David Burgess wrote:
>>     
>>> On Fri, Jun 5, 2009 at 8:31 PM, Lyle Giese<lyle at lcrcomputer dot net> wrote:
>>>
>>>       
>>>> David Burgess wrote:
>>>>
>>>> On Thu, Jun 4, 2009 at 8:45 PM, Lyle Giese <lyle at lcrcomputer dot net> wrote:
>>>>
>>>>
>>>> I have an unusual setup and trying to figure it out.  I have a working
>>>> system on a full Linux system using IPTables.
>>>>
>>>> I am trying to make the config work on a Soekris NET4801.  I have most
>>>> of it figured out, but hit one block.
>>>>
>>>> I have a small hosting operation here.  I have two T1's coming in with a
>>>> Class C subnet assigned to it.  I have a private IP subnet for the
>>>> office and home PC's with a DSL connection for their Internet
>>>> bandwidth.  I did not want the office/home PC's to use any of the T1
>>>> bandwidth, reserving that bandwidth for our paying customers.
>>>>
>>>> I built a machine using IPTables so that the private subnet uses the DSL
>>>> for Internet via NAT.  While still having direct access to the public IP
>>>> servers without going to the Internet.  I have a printer on the private
>>>> subnet.  With IPTables, I was able to forward ports 515 and 9100 to the
>>>> printer(HP LJ ip), so I could print config files from the hosting servers.
>>>>
>>>> On the Soekris NET4801, I have the DSL(sis0) and private subnet(sis1)
>>>> setup along with access to the hosting subnet(sis2).  I have NAT working
>>>> between the private subnet and the other two subnets.  But I can not
>>>> seem to get forwarding of ports 515 and 9100 working from the hosting
>>>> subnet(sis2 to sis1).
>>>>
>>>> It would appear that the Soekris does try to forward the packets hitting
>>>> it's port 515 and 9100:
>>>>
>>>> Jun  4 19:57:18 <router ip> ipmon[89]: 19:57:18.086181 sis2 @300:1 p
>>>> <hosting ip>,49916 -> <HP LJ ip>,515 PR tcp len 20 60 -S K-S IN
>>>> Jun  4 19:57:44 <router ip> ipmon[89]: 19:57:43.987645 sis2 @300:1 p
>>>> <hosting ip>,50432 -> <HP LJ ip>,515 PR tcp len 20 60 -S K-S IN
>>>> Jun  4 20:02:17 <router ip> ipmon[89]: 20:02:17.377468 sis2 @300:1 p
>>>> <hosting ip>,50514 -> <HP LJ ip>,515 PR tcp len 20 60 -S K-S IN
>>>> Jun  4 20:06:35 <router ip> ipmon[89]: 20:06:35.418212 sis2 @300:1 p
>>>> <hosting ip>,44627 -> <HP LJ ip>,515 PR tcp len 20 60 -S K-S IN
>>>> Jun  4 20:09:21 <router ip> ipmon[89]: 20:09:20.795669 sis2 @300:1 p
>>>> <hosting ip>,49848 -> <HP LJ ip>,515 PR tcp len 20 60 -S K-S IN
>>>>
>>>> But I don't get any response back.  At this point I am not 100% certain
>>>> where the issue is and how to correct it.  Nothing I have tried seems to
>>>> work.  I have the DSL on SIS0, the private subnet on SIS1 and the
>>>> hosting subnet on SIS2.  The hosting subnet does not use the DSL, I only
>>>> want access to the printer on the private subnet.
>>>>
>>>> It almost seems that the port forwarding from sis2(hosting) to sis1(LAN)
>>>> does not work.  It appears to work only from the WAN(sis0) port to the
>>>> private subnet.
>>>>
>>>> Any suggestions?
>>>>
>>>>
>>>> Normally you wouldn't use NAT between two LANs, so port-forwarding, or
>>>> masquerading is moot. If your router is aware of the subnet on sis1
>>>> and that on sis2, then packets should naturally flow between the two
>>>> without translation, assuming you have allowed traffic sis1<>sis2 in
>>>> iptables. Unless your sis2 machines are trying to reach sis1 machines
>>>> via the WAN (sis0) adress, in which case it would probably be simpler
>>>> to add entries in your host files for local machines so trans-LAN DNS
>>>> queries are redirected to local addresses. Or use a DNS proxy that
>>>> will reference host entries on your router and keep an entry for the
>>>> LJ IP in there.
>>>>
>>>> db
>>>>
>>>>
>>>>
>>>> I wish it was that simple!  Right now, I can ping the printer from hosts on
>>>> the public subnet, but can not telnet to it or send print jobs to either lpr
>>>> or port 9100.
>>>>
>>>> Jun  5 21:13:52 <soekris> ipmon[89]: 21:13:52.212749 sis2 @0:13 b <Public
>>>> Host>,1023 -> <HP LJ>,515 PR tcp len 20 64 -A IN
>>>> Jun  5 21:13:57 <soekris> ipmon[89]: 21:13:56.910694 sis2 @0:13 b <Public
>>>> Host>,1023 -> <HP LJ>,515 PR tcp len 20 61 -AP IN
>>>> Jun  5 21:14:16 <soekris> ipmon[89]: 21:14:16.457471 sis2 @0:13 b <Public
>>>> Host>,1023 -> <HP LJ>,515 PR tcp len 20 64 -A IN
>>>> Jun  5 21:14:23 <soekris> ipmon[89]: 21:14:23.025435 sis2 @0:13 b <Public
>>>> Host>,1023 -> <HP LJ>,515 PR tcp len 20 61 -AP IN
>>>>
>>>>         
>>> sis1 and sis2 aren't on the same subnet, are they?
>>>
>>> Let's have a look at your routing table (go to exec.php and do
>>> "netstat -r"). If you're using NAT then there shouldn't be any
>>> security issue with posting actual IP addresses that aren't on WAN.
>>>
>>> db
>>>
>>>       
>> Here's the numerical version. I guess if I am doing things right, there
>> are no security issues<GRIN>!
>>     
>>> $ netstat -rn
>>> Routing tables
>>>
>>> Internet:
>>> Destination        Gateway            Flags    Refs      Use  Netif Expire
>>> default            209.112.68.1       UGSc        1     3510    ng0
>>> 127.0.0.1          127.0.0.1          UH          0        0    lo0
>>> 192.168.250        link#2             UC         12        0   sis1
>>> 192.168.250.4      00:e0:4c:03:55:3a  UHLW        0      296   sis1    561
>>> 209.112.68.1       209.112.71.50      UH          1        0    ng0
>>> 209.112.71.50      lo0                UHS         0        0    lo0
>>> 209.172.152        link#3             UC          6        0   sis2
>>> 209.172.152.1      00:08:e3:13:5c:00  UHLW        0       18   sis2   1176
>>> 209.172.152.239    00:e0:81:25:ba:4f  UHLW        0        2   sis2   1087
>>>
>>>
>>>       
>> On the private net, I have an allow rule for all proto types from the
>> public subnet and on the public subnet to allow all traffic from the
>> private subnet.  I added a rule on the Cisco router connected to the
>> T1's to forward 192.168.250 to the public ip address of the Soekris on sis2.
>>
>> Still I can ping and traceroute from the two subnets through the
>> Soekris, but it would appear that tcp or udp packets don't make it
>> through intact.  While I had this unit online with the DSL, I tried to
>> ssh into the name server I have on the private net(port forwarded ssh
>> from the WAN to the name server)  and from a BSD host, I got a bad
>> packet error.  But I could use dig via  UDP to query the name server.
>> And outbound traffic to the Internet looked normal and I was able to
>> connect via a VPN to a remote office.
>>     
>
>
> I'm not sure I get what you're doing. ng0 is connected to a DSL modem
> with a public IP and sis2 is connected to T1 lines with another public
> IP? m0n0wall doesn't do multiWAN, so if that's what you're attempting
> then that would explain the problem. Linux, as you know, will do it,
> and so will pfsense (a more fully-featured m0n0wall derivative).
>
> db
>   
That may explain things, but no I am not wanting multiWAN.  I just want 
the private subnet on sis1 to have direct access to the public ip'd 
servers on sis2 without going out over the Internet.  The Soekris units 
I have only have 64Mb of CF memory, I think pfsense wants 128Mb.  I have 
to do more testing, but the biggest issue is access to the printer on 
the private subnet for the servers on the public subnet.

Lyle