[ previous ] [ next ] [ threads ]
 
 From:  kirt <urpwnd at gmail dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  question regarding connectivity with another router between client and m0n0wall
 Date:  Thu, 1 Oct 2009 15:34:25 -0400
Maybe I'm missing something, but for whatever stupid reason, I can't figure
this out.

Currently, my network is something like this...

remote sites (dedicated connections over cisco routers) (10.3.128.0 and
higher)
     |
main LAN at my building (10.3.0.0/17)
     |
core router (inside 10.3.0.1 - outside 10.1.0.1)
     |
iPrism web filter (10.1.0.2)
     |
Cisco PIX (10.1.0.3)
     |
Internet


We have a new DS3 that has just been installed. For testing purposes I
wanted to hook it up using access-list/policy-based routing on our core
router, and send traffic over to a m0n0wall I just set up.  So the test
boxes can still see the rest of our LAN subnet and for transparency on the
client end, I wanted to put the m0n0wall outside of our core router on the
small 10.1.0.0/29 network, using a 10.1.0.4 IP address.

However, with the m0n0wall configured for our public IP range, assigned the
10.1.0.4 address, and adding a static route for 10.3.0.0/16 to 10.1.0.1,  I
am experiencing the following weirdness...

From machines on the LAN, I can ping 10.1.0.1 - 10.1.0.3 just fine.
From machines on the LAN, I cannot ping 10.1.0.4 at all.
From machines on the LAN, I cannot hit the web interface, via http or https
at all.
From the m0n0wall, I can ping all the other 10.1.0.x addresses
From the other 10.1.0.x addresses, I can ping the m0n0wall
From the m0n0wall, I can ping back into the 10.3.x.x network just fine

Now, in the documentation, I did notice the line:

4. Check the IP configuration of the machine you are using. Its IP address
must be within the same subnet as your m0n0wall's LAN interface, and must be
using the same subnet mask.

Is this just a reminder for the not-so-technically minded new user, or is
this some sort of security oriented policy that doesn't allow incoming
connections from other routed networks.  If the latter, is there a way
around this?

Using the same overall setup, if I just setup the LAN ip on the m0n0wall on
the 10.3.x.x network (using 10.3.0.3) everything works great, except the
policy based routing makes getting to things that are not on the
10.3.0.0/17"main LAN" or on the Internet, not work at all.  This may
also be that I
need to tweak the access-list on my cisco core router more, or just set up a
zillion static routes on the m0n0wall (we have 50+ remote sites on dedicated
connections).

Either way, i <3 m0n0wall and thanks in advance for any help/advice.

:: kirt

PS - I'm trying to use this as a proof of concept for replacing our aging
and unsupported PIX as well, instead of spending thousands on a new Cisco
ASA or other hideously expensive firewall.