Mi Mike,
Well when we talk about any any rules we usually mean to have rules for
every protocol from and to everywhere.
I don't think it is a problem of the firewall. The problem seems to be a
routing problem really as the attached network seems not to be in the
routing table.
Have a look into the /status.php excerpt:
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif
Expire
default 192.168.11.1 UGS 0 196087 vlan10
10.1.1/24 link#6 UC 0 0 vlan0
10.1.1.254 00:50:56:8f:60:46 UHLW 1 126 vlan0
1102
127.0.0.1 127.0.0.1 UH 0 0 lo0
192.168.11/30 link#16 UC 0 0 vlan10
192.168.11.1 00:50:56:b0:55:f1 UHLW 2 342 vlan10
605
192.168.50.192/27 link#2 UC 0 0 em1
192.168.200 link#9 UC 0 0 vlan3
192.168.201 link#8 UC 0 0 vlan2
192.168.202 link#10 UC 0 0 vlan4
192.168.202.3 00:50:56:b0:6a:93 UHLW 1 120736 vlan4
753
192.168.202.4 00:50:56:b0:6b:9f UHLW 1 32366 vlan4
1076
192.168.203 link#11 UC 0 0 vlan5
192.168.203.3 00:50:56:b0:51:8d UHLW 1 33801 vlan5
946
192.168.203.4 00:50:56:b0:7f:c8 UHLW 1 16057 vlan5
1050
192.168.204 link#12 UC 0 0 vlan6
192.168.230 link#13 UC 0 0 vlan7
192.168.230.10 00:50:56:b0:7f:68 UHLW 1 1219 vlan7
724
192.168.231 link#14 UC 0 0 vlan8
192.168.232 link#15 UC 0 0 vlan9
Basically you see that there is no VLAN 101 and no network
192.168.101.0/24 on em2 interface.
Which is strange as the network is there in the interfaces section:
Interfaces
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=1b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING>
inet6 fe80::250:56ff:feb0:4551%em0 prefixlen 64 scopeid 0x1
ether 00:50:56:b0:45:51
media: Ethernet autoselect (1000baseTX <full-duplex>)
status: active
em1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=1b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING>
inet6 fe80::250:56ff:feb0:5e0f%em1 prefixlen 64 scopeid 0x2
inet 192.168.50.219 netmask 0xffffffe0 broadcast 192.168.50.223
ether 00:50:56:b0:5e:0f
media: Ethernet autoselect (1000baseTX <full-duplex>)
status: active
em2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=1b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING>
inet6 fe80::250:56ff:feb0:3f7a%em2 prefixlen 64 scopeid 0x3
inet 192.168.101.1 netmask 0xffffff00 broadcast 192.168.101.255
ether 00:50:56:b0:3f:7a
media: Ethernet autoselect (1000baseTX <full-duplex>)
status: active
This would explain why the system can not see anything in the VLAN 101
from any other network / interface.
Do you agree?
Cheers
Arne
-----Original Message-----
From: Jewell, Michael [mailto:mjewell at law dot umaryland dot edu]
Sent: 11 October 2010 17:42
To: Brieseneck, Arne, VF-Group; m0n0wall at lists dot m0n0 dot ch
Subject: RE: Routing problem
Going by your initial email with sparse information... I never said you
couldn't put more restrictive rules in later, but initial diagnostics
of what's wrong is much simpler with "any any" rules. You did say you
had "any any" rules, but you never stated a protocol or interface they
were assigned to.
> The rule set is ANY-ANY so far and I see the traffic passing the
firewall.
If you don't want help or want to give unhelpful responses, then don't
post to the listserv. Most people who are unfamiliar with firewall
rules do not know that pings are ICMP and not TCP/UDP or TCPIP and
require their own specific rules. It's not a routing limitation of
m0n0wall.
-Mike
-----Original Message-----
From: Brieseneck, Arne, VF-Group [mailto:Arne dot Brieseneck at vodafone dot com]
Sent: Monday, October 11, 2010 1:56 AM
To: Jewell, Michael; m0n0wall at lists dot m0n0 dot ch
Subject: RE: Routing problem
Standard IP any any. So it is not worth to call it a firewall...
-----Original Message-----
From: Jewell, Michael [mailto:mjewell at law dot umaryland dot edu]
Sent: 08 October 2010 20:10
To: Brieseneck, Arne, VF-Group
Subject: RE: Routing problem
Do you have an ICMP any any rule? Or just the standard IP any any?
-Mike
-----Original Message-----
From: Brieseneck, Arne, VF-Group [mailto:Arne dot Brieseneck at vodafone dot com]
Sent: Friday, October 08, 2010 11:09 AM
To: m0n0wall at lists dot m0n0 dot ch
Subject: [m0n0wall] Routing problem
Hi all,
I have a strange problem and I don't know a solution.
The situation is like this:
I have a monowall running with a LAN, a WAN and several OPT interfaces.
The monowall itself has 3 physical interfaces.
1 -> WAN
2 -> LAN
3 -> NAS
The OPT interfaces are all on VLANs but the NAS, that is physical LAN
and WAN are on physical as well but have VLAN tagged.
When I am on the GUI of monowall I can ping every host in the NAS
network without any problem from the NAS interface.
But when I try that from any other interface it does not work. The rule
set is ANY-ANY so far and I see the traffic passing the firewall.
On the other side I have a storage system. Default GW is the IP of the
NAS interface of the wall. That is working fine. I can ping the wall and
I can access other systems on other OPT networks without a problem. But
from the OPT networks towards any server in the NAS network is not
possible. But you can reach the IP of the NAS interface of course.
I wonder if there is a routing limitation in monowall...
Any help is highly appreciated.
Cheers
Arne
---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch | 