[ previous ] [ next ] [ threads ]
 
 From:  Fred Wright <fw at well dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Help passing traffic from LAN to OPT1
 Date:  Wed, 30 Jun 2004 15:31:40 -0700 (PDT)
On Tue, 29 Jun 2004, Joe Lagreca wrote:

> My m0n0wall is the default gateway and router for all of my networks,

Including the AP?

> so I guess that means I can remove the static route I created to get
> from LAN to OPT1.  It sounds like in my case no static route is
> needed.

That's what I would expect.

> I think I have my setup as a basic NAT between my LAN and WAN.  I then
> added another NIC, and ran into this mess.  How should I have my
> routing setup between all three interfaces?

The likely problems are:

1) Routing.  Make sure every machine on network A (or initially, the one
you're testing with) has the m0n0wall as the route to network B (being the
default gateway is good enough unless overriden by something more specific
that matches the destination).  This needs to be true for both A->B and
B->A cases.

2) Firewall.  Make sure your config is allowing ICMP (at least) between
LAN and OPT1.  Theoretically you only need to allow the "request"
direction and the stateful filter should pass the reply, but for this kind
of testing you probably want it to work both ways, anyway.  Besides, in
most cases blocking ICMP is excessively paranoid.

3) NAT.  You probably don't want NAT between LAN and DMZ, and even if you
had it it *shouldn't* keep pings from working, but it's something to be
aware of.

If the two machines used for testing can run tcpdump, then you can
actually trace the packets to see where they make it and with what
addresses.

> > I just added another NIC to my m0n0wall to create a DMZ for my wireless
> > network.  Here is a quick rundown of my network:
> > 
> > LAN:  192.168.0.1
> > OPT1: 192.168.5.1
> > 
> > I can ping OPT1 interface from LAN, but not 192.168.5.5, which is the
> > address of my AP.  I can ping the AP from the m0n0wall.

Well, you're not really "pinging the OPT1 interface" from the LAN - you're
simply pinging the m0n0wall at one of its IP addresses that happens to be
derived from the OPT1 interface.  But I doubt that the interface is the
problem, anyway.

					Fred Wright