[ previous ] [ next ] [ threads ]
 From:  Manuel Kasper <mk at neon1 dot net>
 To:  n2nov at n2nov dot net
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] IP Encap Problems
 Date:  Sat, 8 Jan 2011 20:45:11 +0100
On 05.01.2011, at 17:34, Charles Hargrove wrote:

> I have a remote site that I link to that is a gateway for the 44/8
> network.  Members of this network are using IPIP encap to route their
> packets to/from their home stations.  I have set up a NAT and IPv4 rule to
> allow all packets from the gateway address and the 44/8 network.  I did
> this because I did not see IP encap (or any possible flavor of it) in the
> protocol list for either NAT or firewall rules.  Does anybody have an idea
> why this is not working?

I assume you're referring to IP encapsulation according to RFC 2003 (with IP protocol number 4 in
the outer IP header). m0n0wall does not support this kind of tunnel (nor GRE tunnels, for that
matter) - only IPsec with IKE.

If you intend to use a separate device/router behind your m0n0wall to decapsulate the IP-encap
packets, you need a 1:1 NAT rule and a separate public WAN IP address to terminate the tunnel, as
m0n0wall does not allow for "inbound NAT" rules on arbitrary (i.e. non-TCP/UDP) IP protocols.

> Also, I am not getting RIP broadcasts from the
> gateway address on my port 520.  Thanks in advance.

m0n0wall does not support any dynamic routing protocols, but I assume this would be run inside the
tunnel (with a RIP daemon running on the device that terminates the IP-encap tunnel on your end), in
which case it should work once you have the 1:1 NAT properly set up.

- Manuel