[ previous ] [ next ] [ threads ]
 From:  Christiaens Joachim <jchristi at oce dot be>
 To:  =?iso-8859-1?Q?=27Michael_=D8stergaard_Pedersen=27?= <michael at bytopia dot dk>, m0n0wall at lists dot m0n0 dot ch
 Subject:  RE: [m0n0wall] Problem with static routes
 Date:  Sat, 15 May 2004 16:50:24 +0200
> -----Original Message-----
> From: Michael Østergaard Pedersen [mailto:michael at bytopia dot dk]
> Sent: zaterdag 15 mei 2004 13:27
> To: m0n0wall at lists dot m0n0 dot ch
> Subject: [m0n0wall] Problem with static routes
> I have a strange problem with m0n0wall and static routes. My 
> network looks
> like this:
>     Default GW
>         |
>        WAN
>         |
>     +--------+
>     |m0n0wall|---DMZ
>     +--------+
>         |
>        LAN---- ..-
> My LAN subnet is and the .254 machine is a 
> router that can 
> reach the network via some MPLS network.
> I have added a static route to the LAN interface on the 
> m0n0wall to reach 
> the network via
> When I try to reach from my LAN using the m0n0wall 
> as a default 
> gateway strange things happen. If I ping from LAN 
> I get a reply 
> and I can see that ICMP redirects are being sent to tell me that 
> is a more direct route to that host. This is 
> fine. If I try to 
> SSH to that host I am prompted for a password. If I enter the 
> password 
> correctly the connection hangs. When I check the logs on the 
> m0n0wall I see 
> the following:
> 22:29:23.387117 dc0 @0:68 b,40452 -> 
>,22 PR tcp len
> 20 64 -A IN
> 22:29:23.349785 dc0 @0:68 b,40452 -> 
>,22 PR tcp len
> 20 436 -AP IN
> Does this mean that this traffic is being dropped by the m0n0wall? It
> doesn't make sense to me since dc0 is my LAN interface and I 
> have a rule to
> permit all traffic coming in on the LAN interface.
> Also since I do get the password prompt from SSH some packets 
> do in fact get 
> through. Perhaps only the first one or two?
> Any help is appreciated. I can post more info if you need it.

Hi Michael,

this problem is due to the non-symmetric route the packets are following
(well, at leastI think it is). Not all protocols are so happy about that, or
m0n0wall could get confused about states and start blocking packets
(somebody please correct me if I'm wrong).

In fact, all your hosts on the LAN network should have a static route to
that network, or you should put your router on a separate
interface of the m0n0.


Océ enables its customers to manage their documents efficiently and
effectively by offering innovative print and document management products
and services for professional environments.

This e-mail message and any attachment are intended for the sole use of the
recipient(s) named above and may contain information which is confidential
and/or protected by intellectual property rights.
Any use of the information contained herein (including, but not limited to,
total or partial reproduction, communication or distribution in any form) by
other persons than the designated recipient(s) is prohibited.

If you have received this e-mail in error, please notify the sender either
by telephone (0032-2-729.48.11) or by e-mail and delete the material from
any computer.
Oce-Belgium/Oce-Interservices is nor responsible for the correct and
complete transfer of the contents of the sent e-mail, neither for the
receipt on due time.  This e-mail message does not bring about a contractual
obligation for Oce-Belgium/Oce-Interservices.

Thank you for your cooperation.

For further information about Oce-Belgium/Oce-Interservices please see our
website at www.oce.be