[ previous ] [ next ] [ threads ]
 
 From:  "C. Falconer" <cfalconer at avonside dot school dot nz>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Failure... Gone back to linux RE: [m0n0wall] Documenting problem RE: [m0n0wall] m0n0wall NAT weirdness (It shouldn't be doing this!)
 Date:  Wed, 26 May 2004 18:02:53 +1200
Gidday everyone - I've removed m0n0wall as the firewall and returned to
using linux.

I have not given up, but having made no real progress I had to back out to a
working system.

The hardware is now out, so I can do some more testing without damaging my
net connection.



-----Original Message-----
From: C. Falconer [mailto:cfalconer at avonside dot school dot nz] 
Sent: Wednesday, 26 May 2004 4:41 p.m.
To: m0n0wall at lists dot m0n0 dot ch
Subject: RE: [m0n0wall] Documenting problem RE: [m0n0wall] m0n0wall NAT
weirdness (It shouldn't be doing this!)


Right - I've updated my problem description at
http://staff.avonside.school.nz/cf/m0n0wall/

I can see traffic to the inside machine, so m0n0wall is NATting stuff
correctly.  However the client gets nothing back.

Try    telnet criggie.dyndns.org 113
And it never actually connects.  Where does the problem lie?




-----Original Message-----
From: C. Falconer [mailto:cfalconer at avonside dot school dot nz] 
Sent: Wednesday, 26 May 2004 12:44 p.m.
To: 'Adam Nellemann'
Cc: m0n0wall at lists dot m0n0 dot ch
Subject: RE: [m0n0wall] Documenting problem RE: [m0n0wall] m0n0wall NAT
weirdness (It shouldn't be doing this!)


Adam - you gave some great advice thanks.  I added the Outbound NAT rule as
suggested, which didn't help at all.

Dyndns is nothing to do with the problem, because I have static IP they
simply resolve criggie.dyndns.org to 202.0.42.116

I'd also forgotten to clear out the old iptables rulesets on the internal
server, which didn't help.

Your suggestion of tcpdump helped - it showed that m0n0wall was indeed
sending stuff to the internal machine. 
So from work, I try to get my home web page, and tcpdump shows this:

12:41:15.172461 smtp.avonside.school.nz.2110 >
caffeine.criggie.dyndns.org.www: S 2844394660:2844394660(0) win 5840 <mss
1460,sackOK,timestamp 966184880 0,nop,wscale 0> (DF) [tos 0x10]
12:41:18.165858 smtp.avonside.school.nz.2110 >
caffeine.criggie.dyndns.org.www: S 2844394660:2844394660(0) win 5840 <mss
1460,sackOK,timestamp 966185180 0,nop,wscale 0> (DF) [tos 0x10]

However theres still no response...  Does that provide any more clues?

I now have a rule allowing ICMP, so I can ping the home IP from work.



-----Original Message-----
From: Adam Nellemann [mailto:adam at nellemann dot nu] 
Sent: Wednesday, 26 May 2004 11:27 a.m.
To: C. Falconer
Subject: Re: [m0n0wall] Documenting problem RE: [m0n0wall] m0n0wall NAT
weirdness (It shouldn't be doing this!)

> I think I do - all the internal machines can access the world fine,
> whether it be irc/icq/web pages/pop3

Hmm, sounds like you do. Easy to check though, you should have 
something like this on the "Outbound NAT" page:

Interface: WAN
Source: [webservers local IP or subnet]
Destination: Any [*]
Target: Empty [*]

----------
... Assuming that you know your DynDNS setup to work or better yet, 
have tried accessing the webserver by the external IP, it couldn't be 
DynDNS related.

Have you tried setting up another service (telnet say), perhaps even 
on another local IP, to make sure it isn't a problem with your 
webserver software.

Could it, for instance, be that the webserver need to use its external 
IP or something like that? Seeing as it works from the LAN, which it 
would if it somehow used its local ip in its http responses or some 
such?!? I know this is a problem for another m0n0wall user, his VoIP 
hardware using its DHCP assigned local IP instead of his external WAN IP!

Other than that, I can only suggest you try starting with a "fresh" 
m0n0wall, and try configuring it from scratch, so as to make sure you 
have to go through every setting, taking care to check that all your 
entries are correct and otherwise "makes sense". (But I realize this 
is a rather desperate "when-all-else-fails" measure, unlikely to 
produce any improvement)

For good measure, here's how I (guess I) would configure m0n0wall for 
a webserver (which I hasten to add I have never tried), mainly to make 
sure I have understood your situation correctly:

= = =

For a webserver I would need to allow traffic both to and from the 
server on the WAN, so I need firewall rules for both directions, and 
NAT for both directions, remembering that inbound NAT comes before 
firewall rules and outbound (as far as I know?) NAT comes after:

Firewall rules:
PASS on WAN source ANY port ANY, destination [webserver local IP] port 80.
PASS on LAN source [webserver local IP or subnet] port 80 (or ANY?), 
destination ANY port ANY.

Outbound NAT:
("Enable advanced outbound NAT" checked!)
Interface WAN, Source [webserver local IP or subnet], Destination ANY, 
Target [blank].

Inbound NAT:
Interface WAN, Ext. Adr. [Interface Address], Protocol TCP, Ext. port 
rng. 80-[blank], NAT IP [webserver local IP], local port 80.

Webserver settings:
- Software may need to "know" (use) it's external IP for some things?
- Must use m0n0wall as default gateway (I guess?)
- Dunno much about webserver configuration really?!? *blush*

= = =

I hasten to add the above was done purly in my head, and such will be 
very prone to errors of all kinds!

I hope (but don't really believe) some of this will be of help?

Btw. Please give m0n0wall another chance, I'm pretty sure it will turn 
out to be something trivial, or something not to do with m0n0wall. I 
wouldn't want to see you having to drop m0n0wall, it really is a great 
piece of software.


Greets,

Adam.


---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch


---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch