[ previous ] [ next ] [ threads ]
 
 From:  Stefan Wiesinger <stefan at wie dash se dot net>
 To:  Francisco Artes <falcor at netassassin dot com>, "m0n0wall at lists dot m0n0 dot ch" <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] mono ip rules
 Date:  Sat, 08 Jan 2011 12:27:09 +0100
i've found the problem, the routing-entry was configured to the wrong interface. a furhter layer 8
problem ;)

thank's for your help,
regards,
stefan


Am 2011-01-08 12:02, schrieb Francisco Artes:
> Ok so if I am understanding your setup...
> 
> You are using two interfaces on a m0n0wall.  One is used for the 10.98.0.0/24 network, the other
for 10.99.0.0/24.  On the 10.98 side you have a DNS server on some computer.  On the 10.99 side you
have a VPN concentrator of some sort, and through it you get to the 10.1.0.0/24 network.  Normally,
I would set my VPN concentrator to give addresses on the same interface as the private network.  In
this case, it should be handing out 10.99.0.0/24 addresses to the VPN clients.  Otherwise you need
to do static routes on the m0n0wall (think of it as a core router now.) and on the VPN concentrator
so the two networks separated by 10.99.0.0 can see one another.
> 
> So silly question, but you have put a static route on the m0n0wall that tells it that to get to
10.1.0.0/24 that it needs to use 10.99.0.1 right?
> 
> I am assuming your traceroute is from another IP on the 10.98.0.0/24 as you need to ensure that it
can get to 10.1.0.4 (or 10.1.0.1 at least if the VPN client isn't active.)
> 
> You will also have to tell the VPN or whatever core router you have on 10.1.0.0/24 that
10.98.0.0/24 is reached via 10.99.0.0/24
> 
> Also, you aren't using the WAN port are you?  If so, you will need to disable RFC 1918 filtering. 

> 
> Basically you have an extra subnet you don't need.  Using your diagram you should actually have:
> 
>>>> [MONO 10.0.0.138 PPTP Subnet Interface] --PPTPinternetConnection-- [10.0.0.140 modem/internet] 
(Not sure why you want PPTP if you have VPN... but it's not my business.)
>>>> [MONO INTERFACE = 10.98.0.254] --WIRE/SWITCH-- [10.98.0.10 DNS-Server INTERFACE]
>>>> [MONO INTERFACE = 10.99.0.254] --WIRE/SWITCH-- [10.99.0.1 INTERFACE]VPN-Server[10.1.0.1
INTERFACE] --VPNconnection-over-the-internet-- [VPN-Client 10.1.0.4]
> 
> 
> 
> VPN Client ARP Table:
> default = 10.1.0.1 (Assuming you aren't doing split-tunneling.)
> 
> VPN server Route:
> 10.99.0.0 = default of to the 10.99.0.1 interface
> 10.98.0.0 = route using 10.99.0.254 (The m0n0wall)
> 
> m0n0wall has the following:
> 10.98.0.254 - interface
> 10.99.0.254 - interface
> 10.1.0.1 = 10.99.0.1 (route via VPN server)
> 
> 
> 
> 
> 
> 
> 
> 
> You have a static route telling m0n0 (as it is the router) how to 
> On Jan 8, 2011, at 2:08 AM, Stefan Wiesinger wrote:
> 
>> hello.
>>
>> i've checked the cidr and it looks ok. i've also tried a traceroute to the VPN-Client IP and the
route show's to the VPN-Server 10.99.0.1 (checked
>> with traceroute)
>> the firewall-rule is to allow any ip from any port to the dns-server. if i enable logging, i see
the accepted packets from the vpn-server, but blocked
>> packets from the subnet behind.
>>
>> my ideas:
>> -) the vpn-client subnet isn't configured on monowall directly, impact?
>> -) i've enabled advanced outbound nat, impact? --> but i won't nat anything, just routing
>>
>> regard's,
>> stefan
>>
>>
>> Am 2011-01-08 08:02, schrieb Francisco Artes:
>>> Depends on how the VPN server is setup.  Remember it too can have a set of ACLs and may not have
been told to allow UDP 53.  Sometimes, depending on the VPN server, you have to tell it to allow DNS
lookup and to what DNS server.  Not knowing what it is means I am speculating, but this could well
be it.  
>>>
>>> Now if you are seeing:
>>> A block / Deny rule for "Source 10.1.0.4  port FOO destination 10.98.0.10 UDP 53 "
>>> Then I would double check the subnet / CIDR that you setup for the UDP rule and ensure it is the
entire /24.  You might have the CIDR wrong.  
>>>
>>> Hope this helps.
>>>
>>>
>>>
>>> On Jan 7, 2011, at 4:46 PM, Stefan Wiesinger wrote:
>>>
>>>> hello.
>>>>
>>>> i use mono v1.32 with the following setup. i've already searched the mailing-list archive but
found no suitable answer.
>>>>
>>>> [MONO 10.0.0.138] --PPTPinternetConnection-- [10.0.0.140 modem/internet]
>>>> [MONO 10.98.0.254] --interface-- [10.98.0.10 DNS-Server (LAN)]
>>>> [MONO 10.99.0.254] --interface-- [10.99.0.1 VPN-Server 10.1.0.1]
--VPNconnection-over-the-internet-- [VPN-Client 10.1.0.4]
>>>>
>>>> the vpn-clients are routed from the vpn-server to the rest of the networks.
>>>>
>>>> now i tried to allow the vpn-client to access the dns-server. i defined a fw-rule in den
ipv4-fw-rule for the interface on which the vpn-server is, to
>>>> allow any traffic from any ip with destination UDP 53 and IP 10.98.0.10.
>>>> when i look into the firewall-rules-log i see that the packets from the vpn-clients are
blocked, but the packets from the vpn-server itself pass -->
>>>> why? any ideas?
>>>>
>>>> the routing must be ok, otherwise i wouldn't see the dropped packets in the monowall-webif.
>>>>
>>>> hope anyone can help.
>>>>
>>>> thank's in advance,
>>>> stefan wiesinger
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>>>> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>>> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>>
>