[ previous ] [ next ] [ threads ]
 From:  "Neil A. Hillard" <m0n0 at dana dot org dot uk>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] 1.3 WAN <-> Opt bridge wrong rules apply
 Date:  Fri, 12 Feb 2010 11:12:12 +0000

Fabrizio Steiner wrote:
> I have a problem with a Monowall, which I would like to configure as
> a transparent firwall. As for this, I've bridged the WAN interface
> with the Opt1 interface. Now I wanted to have some special Firewall
> Rules for the incoming traffic, e.g. allow only https, this rule has
> to be defined on the WAN interface. On the other hand for the
> outgoing traffic, I want to allow all traffic, as for this there's a
> allow "any to any" rules on the Opt1 interface. Unfortunately the
> rule on Opt1 doesn't apply for traffic that comes from the Opt1
> interface, instead for traffic that comes from the Opt1 the rules of
> the WAN apply. But this rules prevents any traffic except https and
> therefore no communication is possible from Opt1 over the WAN  to the
> outside world.
> For testing purpose I've created again an allow "any to any"  rule on
> the WAN interface and I've setup both allow "any to any" to be
> logged. If you have some traffic from the Opt1 to the outside World
> and take a look onto the Firewall Log you will see that the rule on
> the WAN is used instead the one on the Opt1.
> Using the same configuration with 1.3b16 works as excepted, and the
> Opt1 rule applies, which is correct. Using 1.3b17 and newer the WAN
> rule applies, so this must be to the change from "BRIDGE to
> if_bridge".

I too noticed this problem with 1.3 a while back and reverted to 1.2.
Unfortunately I haven't yet had the chance to run up a test firewall and
double-check things.

I had the rules initially on OPT1, as per my 1.2 config, upgraded to 1.3
and everything appeared OK.  I think I then rebooted the machine and
everything on OPT1 stopped working so I migrated all of the rules to the
WAN interface and it started working again!  And then for some reason it
flipped back so I had to migrate the rules back to OPT1!

I also remember severe performance problems certainly on LAN <-> WAN
traffic such that traffic was being limited to about 1Mbps.  Reverting
to 1.2 on the same hardware gave me the full 7Mbps of my ADSL connection.