[ previous ] [ next ] [ threads ]
 
 From:  Stefan Wiesinger <stefan at wie dash se dot net>
 To:  Francisco Artes <falcor at netassassin dot com>
 Cc:  "m0n0wall at lists dot m0n0 dot ch" <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] mono ip rules
 Date:  Sat, 08 Jan 2011 11:08:08 +0100
hello.

i've checked the cidr and it looks ok. i've also tried a traceroute to the VPN-Client IP and the
route show's to the VPN-Server 10.99.0.1 (checked
with traceroute)
the firewall-rule is to allow any ip from any port to the dns-server. if i enable logging, i see the
accepted packets from the vpn-server, but blocked
packets from the subnet behind.

my ideas:
-) the vpn-client subnet isn't configured on monowall directly, impact?
-) i've enabled advanced outbound nat, impact? --> but i won't nat anything, just routing

regard's,
stefan


Am 2011-01-08 08:02, schrieb Francisco Artes:
> Depends on how the VPN server is setup.  Remember it too can have a set of ACLs and may not have
been told to allow UDP 53.  Sometimes, depending on the VPN server, you have to tell it to allow DNS
lookup and to what DNS server.  Not knowing what it is means I am speculating, but this could well
be it.  
> 
> Now if you are seeing:
> A block / Deny rule for "Source 10.1.0.4  port FOO destination 10.98.0.10 UDP 53 "
> Then I would double check the subnet / CIDR that you setup for the UDP rule and ensure it is the
entire /24.  You might have the CIDR wrong.  
> 
> Hope this helps.
> 
> 
> 
> On Jan 7, 2011, at 4:46 PM, Stefan Wiesinger wrote:
> 
>> hello.
>>
>> i use mono v1.32 with the following setup. i've already searched the mailing-list archive but
found no suitable answer.
>>
>> [MONO 10.0.0.138] --PPTPinternetConnection-- [10.0.0.140 modem/internet]
>> [MONO 10.98.0.254] --interface-- [10.98.0.10 DNS-Server (LAN)]
>> [MONO 10.99.0.254] --interface-- [10.99.0.1 VPN-Server 10.1.0.1]
--VPNconnection-over-the-internet-- [VPN-Client 10.1.0.4]
>>
>> the vpn-clients are routed from the vpn-server to the rest of the networks.
>>
>> now i tried to allow the vpn-client to access the dns-server. i defined a fw-rule in den
ipv4-fw-rule for the interface on which the vpn-server is, to
>> allow any traffic from any ip with destination UDP 53 and IP 10.98.0.10.
>> when i look into the firewall-rules-log i see that the packets from the vpn-clients are blocked,
but the packets from the vpn-server itself pass -->
>> why? any ideas?
>>
>> the routing must be ok, otherwise i wouldn't see the dropped packets in the monowall-webif.
>>
>> hope anyone can help.
>>
>> thank's in advance,
>> stefan wiesinger
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>