Re: [m0n0wall] 1.3 WAN <-> Opt bridge wrong rules apply

From:	"Neil A. Hillard" <m0n0 at dana dot org dot uk>
To:	m0n0wall at lists dot m0n0 dot ch
Subject:	Re: [m0n0wall] 1.3 WAN <-> Opt bridge wrong rules apply
Date:	Wed, 19 May 2010 00:47:30 +0100
Hi Chris,

Chris Buechler wrote:
> On Fri, Feb 12, 2010 at 7:12 AM, Neil A. Hillard <m0n0 at dana dot org dot uk> wrote:
>> I too noticed this problem with 1.3 a while back and reverted to 1.2.
>> Unfortunately I haven't yet had the chance to run up a test firewall and
>> double-check things.
>>
>> I had the rules initially on OPT1, as per my 1.2 config, upgraded to 1.3
>> and everything appeared OK.  I think I then rebooted the machine and
>> everything on OPT1 stopped working so I migrated all of the rules to the
>> WAN interface and it started working again!  And then for some reason it
>> flipped back so I had to migrate the rules back to OPT1!
>>
> 
> I ran into a situation where things didn't work after upgrading from
> 1.2x to 1.3 and found one major difference that may be impacting both
> people who posted in this thread. if_bridge obeys your Outbound NAT
> configuration where the old BRIDGE apparently ignores it, which by
> default is going to NAT everything outbound and hose your traffic in
> general in unusual ways. In combination with a bridge, this causes
> havoc on which rules function correctly and which don't, and you don't
> want to NAT across that bridge anyway. You need to enable advanced
> outbound NAT under Firewall > NAT, Outbound tab, and don't configure
> any NAT rules that would match your bridged interface (if you're only
> bridging, don't configure any outbound NAT rules at all). Flip
> flopping the rules around could have created states or did something
> differently that happened to make it sort of work temporarily, when
> the problem is really just the NAT messing with the bridge. I never
> could determine exactly how it was getting messed up as it was a
> remote system and the lack of tcpdump on m0n0wall hindered any in
> depth troubleshooting, but disabling the NAT fixed all the problems
> and made the rules behave the same as they did in 1.2x.
> 
> Other than that difference, everything will work exactly as it did
> previously (except in cases where you weren't filtering at all on the
> bridge, it's not possible to do that now).
> 
> If your bridge doesn't work the same in 1.3x as it did in 1.2x, where
> outbound NAT is properly disabled and you aren't trying to do a
> non-filtered bridge, email me off list and I'll take a look at it (I
> wrote the if_bridge code change in m0n0wall).

Advanced outbound NAT has always been set here so that I could talk to
my DMZ server correctly!

At present I haven't got 1.3 running and now I don't have a specific
need for the DMZ as my server is now in a data centre far, far away!  At
some point I will resurrect my test firewall (Compaq EN SFF with the
onboard NIC and two 3x905Cs) but the last time I tried it with 1.3 I
couldn't get it to talk on the network after restoring the
configuration.  It appeared to have problems with the VLAN tagged interface.

I'll see if I can have a play over the next couple of weeks!

Many thanks,


Neil.