[ previous ] [ next ] [ threads ]
 
 From:  "Wyn Bryant" <wynbryant at gmail dot com>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  bad NAT from status.php logs
 Date:  Thu, 9 Sep 2010 06:23:32 -0400
Dear Group,

 

I'm having an issue with inbound SIP ports (UDP 1-65535) passing through
m0n0 with inbound NAT.  status.php shows bad NAT for the rule in question:

Sep  8 21:31:36 m0n0wall ipmon[128]: 21:31:35.624147 50x bge0 @200:1 b
2.2.2.2,59114 -> 192.168.0.12,18756 PR udp len 20 200 K-S K-F IN bad NAT

 

This m0n0 configuration (attached) uses WAN, LAN and OPT (intended to be a
second LAN) interfaces; with outbound NAT.  

 

Here is the NAT rule that is apparently the issue:

<rule>

                <external-address>71.XX.XX.243</external-address>

                <protocol>udp</protocol>

                <external-port>1-65535</external-port>

                <target>192.168.0.12</target>

                <local-port>1</local-port>

                <interface>wan</interface>

                <descr>SIP</descr>

</rule>

 

Note that other NAT rules are working to hosts on the OPT1 interface (such
as HTTPS and SMTP), but they are all TCP.

 

Would anyone be able to point me in the right direction?

 

I suppose a couple of options outside of m0n0 available are to use VLANS
with a managed switch instead of the LAN+OPT interfaces for the two LANs or
use filtering bridge (but I had hoped to eliminate the routers on both LANs
behind the m0n0).

 

Any feedback is appreciated.

 

Regards,

 

Wyn Bryant
<?xml version="1.0"?>
<m0n0wall>
	<version>1.8</version>
	<lastchange>1283864861</lastchange>
	<system>
		<hostname>m0n0wall</hostname>
		<domain>local</domain>
		<dnsallowoverride/>
		<username>admin</username>
		<password>xxxxx</password>
		<timezone>Etc/UTC</timezone>
		<time-update-interval>300</time-update-interval>
		<timeservers>0.m0n0wall.pool.ntp.org</timeservers>
		<webgui>
			<protocol>http</protocol>
			<port/>
		</webgui>
		<dnsserver>3.3.3.1</dnsserver>
		<dnsserver>3.3.3.2</dnsserver>
	</system>
	<interfaces>
		<lan>
			<if>em0</if>
			<ipaddr>192.168.10.1</ipaddr>
			<subnet>24</subnet>
			<media/>
			<mediaopt/>
		</lan>
		<wan>
			<if>bge0</if>
			<blockpriv/>
			<media/>
			<mediaopt/>
			<spoofmac>00:21:29:70:c5:2d</spoofmac>
			<ipaddr>71.XX.XX.242</ipaddr>
			<subnet>28</subnet>
			<gateway>71.XX.XX.241</gateway>
		</wan>
		<opt1>
			<descr>LAN2</descr>
			<if>vr0</if>
			<ipaddr>192.168.0.1</ipaddr>
			<subnet>24</subnet>
			<bridge/>
			<enable/>
		</opt1>
	</interfaces>
	<staticroutes/>
	<pppoe/>
	<pptp/>
	<dyndns>
		<type>dyndns</type>
		<username/>
		<password/>
		<host/>
		<mx/>
		<server/>
		<port/>
	</dyndns>
	<dnsupdate/>
	<dhcpd>
		<lan>
			<range>
				<from>192.168.1.100</from>
				<to>192.168.1.199</to>
			</range>
		</lan>
	</dhcpd>
	<pptpd>
		<mode/>
		<nunits>16</nunits>
		<redir/>
		<localip/>
		<remoteip/>
	</pptpd>
	<dnsmasq>
		<enable/>
	</dnsmasq>
	<snmpd>
		<syslocation/>
		<syscontact/>
		<rocommunity>public</rocommunity>
	</snmpd>
	<diag/>
	<bridge/>
	<syslog/>
	<nat>
		<advancedoutbound>
			<rule>
				<source>
					<network>192.168.0.0/24</network>
				</source>
				<descr>OUTBOUND-NAT2</descr>
				<target>71.XX.XX.243</target>
				<interface>wan</interface>
				<destination>
					<any/>
				</destination>
			</rule>
			<rule>
				<source>
					<network>192.168.10.0/24</network>
				</source>
				<descr>OUTBOUND-NAT1</descr>
				<target>71.XX.XX.244</target>
				<interface>wan</interface>
				<destination>
					<any/>
				</destination>
			</rule>
			<enable/>
		</advancedoutbound>
		<servernat>
			<ipaddr>71.XX.XX.244</ipaddr>
			<descr>VISTA_SERVER_NAT</descr>
		</servernat>
		<servernat>
			<ipaddr>71.XX.XX.243</ipaddr>
			<descr>WFG_SERVER_NAT</descr>
		</servernat>
		<rule>
			<external-address>71.XX.XX.243</external-address>
			<protocol>tcp</protocol>
			<external-port>25</external-port>
			<target>192.168.0.225</target>
			<local-port>25</local-port>
			<interface>wan</interface>
			<descr>SMTP-WOLFES01</descr>
		</rule>
		<rule>
			<external-address>71.XX.XX.243</external-address>
			<protocol>tcp</protocol>
			<external-port>443</external-port>
			<target>192.168.0.225</target>
			<local-port>443</local-port>
			<interface>wan</interface>
			<descr>HTTPS-WOLFES01</descr>
		</rule>
		<rule>
			<external-address>71.XX.XX.243</external-address>
			<protocol>tcp</protocol>
			<external-port>3390</external-port>
			<target>192.168.0.11</target>
			<local-port>3390</local-port>
			<interface>wan</interface>
			<descr>RDP-1</descr>
		</rule>
		<rule>
			<external-address>71.XX.XX.243</external-address>
			<protocol>tcp</protocol>
			<external-port>3391</external-port>
			<target>192.168.0.27</target>
			<local-port>3391</local-port>
			<interface>wan</interface>
			<descr>RDP-3</descr>
		</rule>
		<rule>
			<external-address>71.XX.XX.243</external-address>
			<protocol>udp</protocol>
			<external-port>1-65535</external-port>
			<target>192.168.0.12</target>
			<local-port>1</local-port>
			<interface>wan</interface>
			<descr>SIP</descr>
		</rule>
		<rule>
			<external-address>71.XX.XX.244</external-address>
			<protocol>tcp</protocol>
			<external-port>25</external-port>
			<target>192.168.10.2</target>
			<local-port>25</local-port>
			<interface>wan</interface>
			<descr>VISTA-SMTP</descr>
		</rule>
		<rule>
			<external-address>71.XX.XX.244</external-address>
			<protocol>tcp</protocol>
			<external-port>443</external-port>
			<target>192.168.10.2</target>
			<local-port>443</local-port>
			<interface>wan</interface>
			<descr>VISTA-OWA</descr>
		</rule>
		<rule>
			<external-address>71.XX.XX.244</external-address>
			<protocol>tcp</protocol>
			<external-port>3389</external-port>
			<target>192.168.10.13</target>
			<local-port>3389</local-port>
			<interface>wan</interface>
			<descr>VISTA-WYN-RDP</descr>
		</rule>
		<rule>
			<external-address>71.XX.XX.243</external-address>
			<protocol>tcp</protocol>
			<external-port>7575</external-port>
			<target>192.168.0.34</target>
			<local-port>7575</local-port>
			<interface>wan</interface>
			<descr>RDP-2 JOAN</descr>
		</rule>
	</nat>
	<filter>
		<rule>
			<interface>wan</interface>
			<protocol>tcp</protocol>
			<source>
				<any/>
			</source>
			<destination>
				<address>192.168.10.2</address>
				<port>25</port>
			</destination>
			<descr>NAT SMTP</descr>
		</rule>
		<rule>
			<interface>wan</interface>
			<protocol>tcp</protocol>
			<source>
				<any/>
			</source>
			<destination>
				<address>192.168.10.2</address>
				<port>443</port>
			</destination>
			<descr>NAT HTTPS</descr>
		</rule>
		<rule>
			<interface>wan</interface>
			<protocol>tcp</protocol>
			<source>
				<any/>
			</source>
			<destination>
				<address>192.168.10.2</address>
				<port>110</port>
			</destination>
			<descr>NAT POP3-VISTAS02</descr>
		</rule>
		<rule>
			<type>pass</type>
			<interface>wan</interface>
			<protocol>tcp</protocol>
			<source>
				<any/>
			</source>
			<destination>
				<address>192.168.10.12</address>
				<port>3389</port>
			</destination>
			<descr>NAT RDP-WYN</descr>
		</rule>
		<rule>
			<interface>wan</interface>
			<protocol>tcp</protocol>
			<source>
				<any/>
			</source>
			<destination>
				<address>192.168.0.225</address>
				<port>443</port>
			</destination>
			<descr>NAT WFG-HTTPS</descr>
		</rule>
		<rule>
			<interface>wan</interface>
			<protocol>tcp</protocol>
			<source>
				<any/>
			</source>
			<destination>
				<address>192.168.0.225</address>
				<port>25</port>
			</destination>
			<descr>NAT WFG-SMTP</descr>
		</rule>
		<rule>
			<interface>wan</interface>
			<protocol>tcp</protocol>
			<source>
				<any/>
			</source>
			<destination>
				<address>192.168.10.2</address>
				<port>25</port>
			</destination>
			<descr>NAT VISTA-SMTP</descr>
		</rule>
		<rule>
			<interface>wan</interface>
			<protocol>tcp</protocol>
			<source>
				<any/>
			</source>
			<destination>
				<address>192.168.10.2</address>
				<port>443</port>
			</destination>
			<descr>NAT VISTA-OWA</descr>
		</rule>
		<rule>
			<interface>wan</interface>
			<protocol>tcp</protocol>
			<source>
				<any/>
			</source>
			<destination>
				<address>192.168.10.13</address>
				<port>3389</port>
			</destination>
			<descr>NAT VISTA-WYN-RDP</descr>
		</rule>
		<rule>
			<interface>wan</interface>
			<protocol>tcp</protocol>
			<source>
				<any/>
			</source>
			<destination>
				<address>192.168.0.225</address>
				<port>25</port>
			</destination>
			<descr>NAT SMTP-WOLFES01</descr>
		</rule>
		<rule>
			<interface>wan</interface>
			<protocol>udp</protocol>
			<source>
				<any/>
			</source>
			<destination>
				<address>192.168.0.12</address>
				<port>1-65535</port>
			</destination>
			<descr>NAT SIP</descr>
		</rule>
		<rule>
			<interface>wan</interface>
			<protocol>tcp</protocol>
			<source>
				<any/>
			</source>
			<destination>
				<address>192.168.0.225</address>
				<port>443</port>
			</destination>
			<descr>NAT HTTPS-WOLFES01</descr>
		</rule>
		<rule>
			<interface>wan</interface>
			<protocol>tcp</protocol>
			<source>
				<any/>
			</source>
			<destination>
				<address>192.168.0.11</address>
				<port>3390</port>
			</destination>
			<descr>NAT RDP-1</descr>
		</rule>
		<rule>
			<interface>wan</interface>
			<protocol>tcp</protocol>
			<source>
				<any/>
			</source>
			<destination>
				<address>192.168.0.27</address>
				<port>3391</port>
			</destination>
			<descr>NAT RDP-3</descr>
		</rule>
		<rule>
			<interface>wan</interface>
			<protocol>tcp</protocol>
			<source>
				<any/>
			</source>
			<destination>
				<address>192.168.0.34</address>
				<port>7575</port>
			</destination>
			<descr>NAT RDP-2 JOAN</descr>
		</rule>
		<rule>
			<type>pass</type>
			<interface>wan</interface>
			<protocol>tcp</protocol>
			<source>
				<any/>
			</source>
			<destination>
				<address>192.168.0.20</address>
				<port>80</port>
			</destination>
			<descr/>
		</rule>
		<rule>
			<type>pass</type>
			<interface>opt1</interface>
			<source>
				<network>opt1</network>
			</source>
			<destination>
				<any/>
			</destination>
			<descr>WFGLAN</descr>
		</rule>
		<rule>
			<type>pass</type>
			<descr>Default LAN -&gt; any</descr>
			<interface>lan</interface>
			<source>
				<network>lan</network>
			</source>
			<destination>
				<any/>
			</destination>
		</rule>
		<rule>
			<type>pass</type>
			<descr>Default IPsec VPN</descr>
			<interface>ipsec</interface>
			<source>
				<any/>
			</source>
			<destination>
				<any/>
			</destination>
		</rule>
	</filter>
	<ipsec/>
	<aliases/>
	<proxyarp>
		<proxyarpnet>
			<interface>wan</interface>
			<network>71.XX.XX.243/32</network>
			<descr>NAT WFGLAN</descr>
		</proxyarpnet>
		<proxyarpnet>
			<interface>wan</interface>
			<network>71.XX.XX.244/32</network>
			<descr>NAT VISTALAN</descr>
		</proxyarpnet>
	</proxyarp>
	<wol/>
	<shaper/>
	<secondaries/>
	<vlans/>
</m0n0wall>
Sep  8 21:31:18 m0n0wall ipmon[128]: 21:31:17.924196 34x bge0 @200:1 b 2.2.2.2,59114 ->
192.168.0.12,18756 PR udp len 20 200 IN bad NAT
Sep  8 21:31:19 m0n0wall ipmon[128]: 21:31:18.603780 50x bge0 @200:1 b 2.2.2.2,59114 ->
192.168.0.12,18756 PR udp len 20 200 K-S K-F IN bad NAT
Sep  8 21:31:20 m0n0wall ipmon[128]: 21:31:19.604770 50x bge0 @200:1 b 2.2.2.2,59114 ->
192.168.0.12,18756 PR udp len 20 200 K-S K-F IN bad NAT
Sep  8 21:31:21 m0n0wall ipmon[128]: 21:31:20.604146 50x bge0 @200:1 b 2.2.2.2,59114 ->
192.168.0.12,18756 PR udp len 20 200 K-S K-F IN bad NAT
Sep  8 21:31:22 m0n0wall ipmon[128]: 21:31:21.603832 50x bge0 @200:1 b 2.2.2.2,59114 ->
192.168.0.12,18756 PR udp len 20 200 K-S K-F IN bad NAT
Sep  8 21:31:23 m0n0wall ipmon[128]: 21:31:22.604458 50x bge0 @200:1 b 2.2.2.2,59114 ->
192.168.0.12,18756 PR udp len 20 200 K-S K-F IN bad NAT
Sep  8 21:31:24 m0n0wall ipmon[128]: 21:31:23.604648 50x bge0 @200:1 b 2.2.2.2,59114 ->
192.168.0.12,18756 PR udp len 20 200 K-S K-F IN bad NAT
Sep  8 21:31:25 m0n0wall ipmon[128]: 21:31:24.603833 50x bge0 @200:1 b 2.2.2.2,59114 ->
192.168.0.12,18756 PR udp len 20 200 K-S K-F IN bad NAT
Sep  8 21:31:26 m0n0wall ipmon[128]: 21:31:25.603993 50x bge0 @200:1 b 2.2.2.2,59114 ->
192.168.0.12,18756 PR udp len 20 200 K-S K-F IN bad NAT
Sep  8 21:31:27 m0n0wall ipmon[128]: 21:31:26.604145 37x bge0 @200:1 b 2.2.2.2,59114 ->
192.168.0.12,18756 PR udp len 20 200 K-S K-F IN bad NAT
Sep  8 21:31:27 m0n0wall ipmon[128]: 21:31:27.344494 bge0 @200:1 b 2.2.2.2,59114 ->
192.168.0.12,18756 PR udp len 20 200 IN bad NAT
Sep  8 21:31:27 m0n0wall ipmon[128]: 21:31:27.364933 12x bge0 @200:1 b 2.2.2.2,59114 ->
192.168.0.12,18756 PR udp len 20 200 IN bad NAT
Sep  8 21:31:28 m0n0wall ipmon[128]: 21:31:27.603990 50x bge0 @200:1 b 2.2.2.2,59114 ->
192.168.0.12,18756 PR udp len 20 200 K-S K-F IN bad NAT
Sep  8 21:31:29 m0n0wall ipmon[128]: 21:31:28.604148 50x bge0 @200:1 b 2.2.2.2,59114 ->
192.168.0.12,18756 PR udp len 20 200 K-S K-F IN bad NAT
Sep  8 21:31:30 m0n0wall ipmon[128]: 21:31:29.603835 51x bge0 @200:1 b 2.2.2.2,59114 ->
192.168.0.12,18756 PR udp len 20 200 K-S K-F IN bad NAT
Sep  8 21:31:31 m0n0wall ipmon[128]: 21:31:30.624149 42x bge0 @200:1 b 2.2.2.2,59114 ->
192.168.0.12,18756 PR udp len 20 200 K-S K-F IN bad NAT
Sep  8 21:31:31 m0n0wall ipmon[128]: 21:31:31.463854 8x bge0 @200:1 b 2.2.2.2,59114 ->
192.168.0.12,18756 PR udp len 20 200 IN bad NAT
Sep  8 21:31:32 m0n0wall ipmon[128]: 21:31:31.623838 50x bge0 @200:1 b 2.2.2.2,59114 ->
192.168.0.12,18756 PR udp len 20 200 K-S K-F IN bad NAT
Sep  8 21:31:33 m0n0wall ipmon[128]: 21:31:32.623991 50x bge0 @200:1 b 2.2.2.2,59114 ->
192.168.0.12,18756 PR udp len 20 200 K-S K-F IN bad NAT
Sep  8 21:31:34 m0n0wall ipmon[128]: 21:31:33.624146 50x bge0 @200:1 b 2.2.2.2,59114 ->
192.168.0.12,18756 PR udp len 20 200 K-S K-F IN bad NAT
Sep  8 21:31:35 m0n0wall ipmon[128]: 21:31:34.624771 46x bge0 @200:1 b 2.2.2.2,59114 ->
192.168.0.12,18756 PR udp len 20 200 K-S K-F IN bad NAT
Sep  8 21:31:35 m0n0wall ipmon[128]: 21:31:35.544307 4x bge0 @200:1 b 2.2.2.2,59114 ->
192.168.0.12,18756 PR udp len 20 200 IN bad NAT
Sep  8 21:31:36 m0n0wall ipmon[128]: 21:31:35.624147 50x bge0 @200:1 b 2.2.2.2,59114 ->
192.168.0.12,18756 PR udp len 20 200 K-S K-F IN bad NAT