[ previous ] [ next ] [ threads ]
 
 From:  "Dan O'Brien" <score underscore it at hotmail dot com>
 To:  fw at well dot com, m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Help passing traffic from LAN to OPT1
 Date:  Sat, 03 Jul 2004 19:36:17 -0400
I am having similar problems to this. I have a web server attached to 
monowall on it's own NIC, but if i don't have the 'opt1' interface binded to 
the 'LAN' interface i can't see, ping, tracert, etc between the two 
networks. Anything on the LAN interface works fine, i can get out to the 
internet and vice versa, but from the 'OPT1' network i can do nothing.
I set up firewall and NAT rules to duplicate the LAN rules on OPT1 and it 
still doesn't work. Any suggestions. I have been following this thread very 
closely and everything that has been suggested hasn't worked for me

Thanks,
Dan OBrien


&gt;From: Fred Wright &lt;fw at well dot com&gt;
&gt;Reply-To: Fred Wright &lt;fw at well dot com&gt;
&gt;To: m0n0wall at lists dot m0n0 dot ch
&gt;Subject: Re: [m0n0wall] Help passing traffic from LAN to OPT1
&gt;Date: Sat, 3 Jul 2004 15:44:50 -0700 (PDT)
&gt;
&gt;
&gt;On Wed, 30 Jun 2004, Joe Lagreca wrote:
&gt;
&gt; &gt; I deleted the route I had from LAN 192.168.0.0 to OPT1 192.168.5.0 
and
&gt; &gt; now the m0n0wall can't seem to ping anything on OPT1 (192.168.5.1 
or
&gt; &gt; .5).
&gt;
&gt;I presume you meant you deleted it in the m0n0wall config, but since 
this
&gt;test involves at least three machines, it's best to be more explicit.
&gt;
&gt; &gt; Ping output:
&gt; &gt;
&gt; &gt; PING 192.168.5.1 (192.168.5.1): 56 data bytes
&gt; &gt;
&gt; &gt; --- 192.168.5.1 ping statistics ---
&gt; &gt; 3 packets transmitted, 0 packets received, 100% packet loss
&gt; &gt;
&gt; &gt; When I do a traceroute from 192.168.0.40 to 192.168.5.5 this is 
what I get:
&gt; &gt;
&gt; &gt; C:\Documents and Settings\Joe&gt;tracert 192.168.5.5
&gt; &gt;
&gt; &gt; Tracing route to 192.168.5.5 over a maximum of 30 hops
&gt; &gt;
&gt; &gt;   1    &lt;1 ms    &lt;1 ms    &lt;1 ms  
firewall.humboldt.no-ip.com [192.168.0.1]
&gt; &gt;   2    11 ms     6 ms     8 ms  10.7.108.1
&gt; &gt;   3    10 ms     7 ms     7 ms  68.6.10.154
&gt; &gt;   4     *        *        *     Request timed out.
&gt; &gt;   5     *        *        *     Request timed out.
&gt;
&gt;This is consistent with the m0n0wall's not having a route to 
192.168.5.5.
&gt;
&gt;When you configured the OPT1 interface, you didn't by any chance accept
&gt;the default (and technically illegal) /31 netmask, did you?  That would
&gt;definitely cause this kind of trouble.  In your setup you probably want
&gt;/24, which, among other things, tells the m0n0wall that 192.168.5.*
&gt;addresses are directly reachable on that interface.
&gt;
&gt;To check m0n0wall's routing table, do &quot;netstat -rn&quot; via 
exec.php.
&gt;
&gt;There are a couple of things to be aware of with traceroute:
&gt;
&gt;1) Even with correct routing, you may see &quot;holes&quot; if the 
machine in
&gt;question doesn't return proper ICMP errors.  In particular, if the 
target
&gt;machine doesn't, then the traceroute will appear to be &quot;dead 
forever&quot; at
&gt;and beyond that machine.
&gt;
&gt;2) NATted traceroute is broken in m0n0wall 1.1b14, due to its screwing 
up
&gt;the ICMP checksums in NAT processing.  This worked properly in 1.0, so I
&gt;suspect it relates to the ICMP checksum &quot;fixes&quot; in IPFilter 
between 3.4.31
&gt;and 3.4.32, but haven't identified the exact bug yet.
&gt;
&gt; &gt; This probably has something to do with NAT, because it should just 
got
&gt; &gt; from LAN to OPT1 without having to go out to the internet.  
However I
&gt; &gt; dont know what to change in my NAT to correct this.
&gt;
&gt;In the quick check I just did, it appears that by default the OPT1
&gt;interface is regarded as &quot;LAN-like&quot; for NAT purposes, so NAT 
shouldn't be
&gt;applied between LAN and OPT1.  To verify this, do &quot;ipnat -l&quot; 
in exec.php
&gt;and see what interface(s) has/have NAT applied.
&gt;
&gt; &gt; Under NAT I have a bunch of inbound WAN ports pointing to devices 
on
&gt; &gt; my LAN.  Server Nat, 1:1, and Outbound all have nothing in them.
&gt;
&gt;I presume this includes not enabling &quot;Advanced Outbound NAT&quot;.
&gt;
&gt;					Fred Wright
&gt;
&gt;
&gt;---------------------------------------------------------------------
&gt;To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
&gt;For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
&gt;