[ previous ] [ next ] [ threads ]
 From:  Fabrizio Steiner <fabrizio at steiner dash vs dot ch>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] 1.3 WAN <-> Opt bridge wrong rules apply
 Date:  Fri, 12 Feb 2010 12:30:03 +0100
In the meantime I've figured out where the problem came from. As my test config shows, there's a DNS
Server defined on the General Setup Page. As soon I've removed the DNS Server there and rebooted the
monowall everything was running fine and the OPT1 rules applied as they should. Adding again a DNS
Server almost immediately the OPT1 rules weren't used anymore and again the WAN rules applied.

I have absolutely no clue why a DNS Server entry has an impact onto the rules, which are applied.

It would be great if someone of the monowall developers could have a look onto this. As for now I'll
install a test monowall with 1.3 without any DNS Server.

Kind Regards

On Feb 12, 2010, at 12:12 PM, Neil A. Hillard wrote:

> Hi,
> Fabrizio Steiner wrote:
>> I have a problem with a Monowall, which I would like to configure as
>> a transparent firwall. As for this, I've bridged the WAN interface
>> with the Opt1 interface. Now I wanted to have some special Firewall
>> Rules for the incoming traffic, e.g. allow only https, this rule has
>> to be defined on the WAN interface. On the other hand for the
>> outgoing traffic, I want to allow all traffic, as for this there's a
>> allow "any to any" rules on the Opt1 interface. Unfortunately the
>> rule on Opt1 doesn't apply for traffic that comes from the Opt1
>> interface, instead for traffic that comes from the Opt1 the rules of
>> the WAN apply. But this rules prevents any traffic except https and
>> therefore no communication is possible from Opt1 over the WAN  to the
>> outside world.
>> For testing purpose I've created again an allow "any to any"  rule on
>> the WAN interface and I've setup both allow "any to any" to be
>> logged. If you have some traffic from the Opt1 to the outside World
>> and take a look onto the Firewall Log you will see that the rule on
>> the WAN is used instead the one on the Opt1.
>> Using the same configuration with 1.3b16 works as excepted, and the
>> Opt1 rule applies, which is correct. Using 1.3b17 and newer the WAN
>> rule applies, so this must be to the change from "BRIDGE to
>> if_bridge".
> I too noticed this problem with 1.3 a while back and reverted to 1.2.
> Unfortunately I haven't yet had the chance to run up a test firewall and
> double-check things.
> I had the rules initially on OPT1, as per my 1.2 config, upgraded to 1.3
> and everything appeared OK.  I think I then rebooted the machine and
> everything on OPT1 stopped working so I migrated all of the rules to the
> WAN interface and it started working again!  And then for some reason it
> flipped back so I had to migrate the rules back to OPT1!
> I also remember severe performance problems certainly on LAN <-> WAN
> traffic such that traffic was being limited to about 1Mbps.  Reverting
> to 1.2 on the same hardware gave me the full 7Mbps of my ADSL connection.
> Regards,
> Neil.