I am having similar problems to this. I have a web server attached to
monowall on it's own NIC, but if i don't have the 'opt1' interface binded to
the 'LAN' interface i can't see, ping, tracert, etc between the two
networks. Anything on the LAN interface works fine, i can get out to the
internet and vice versa, but from the 'OPT1' network i can do nothing.
I set up firewall and NAT rules to duplicate the LAN rules on OPT1 and it
still doesn't work. Any suggestions. I have been following this thread very
closely and everything that has been suggested hasn't worked for me
>From: Fred Wright <fw at well dot com>
>Reply-To: Fred Wright <fw at well dot com>
>To: m0n0wall at lists dot m0n0 dot ch
>Subject: Re: [m0n0wall] Help passing traffic from LAN to OPT1
>Date: Sat, 3 Jul 2004 15:44:50 -0700 (PDT)
>On Wed, 30 Jun 2004, Joe Lagreca wrote:
> > I deleted the route I had from LAN 192.168.0.0 to OPT1 192.168.5.0
> > now the m0n0wall can't seem to ping anything on OPT1 (192.168.5.1
> > .5).
>I presume you meant you deleted it in the m0n0wall config, but since
>test involves at least three machines, it's best to be more explicit.
> > Ping output:
> > PING 192.168.5.1 (192.168.5.1): 56 data bytes
> > --- 192.168.5.1 ping statistics ---
> > 3 packets transmitted, 0 packets received, 100% packet loss
> > When I do a traceroute from 192.168.0.40 to 192.168.5.5 this is
what I get:
> > C:\Documents and Settings\Joe>tracert 192.168.5.5
> > Tracing route to 192.168.5.5 over a maximum of 30 hops
> > 1 <1 ms <1 ms <1 ms
> > 2 11 ms 6 ms 8 ms 10.7.108.1
> > 3 10 ms 7 ms 7 ms 22.214.171.124
> > 4 * * * Request timed out.
> > 5 * * * Request timed out.
>This is consistent with the m0n0wall's not having a route to
>When you configured the OPT1 interface, you didn't by any chance accept
>the default (and technically illegal) /31 netmask, did you? That would
>definitely cause this kind of trouble. In your setup you probably want
>/24, which, among other things, tells the m0n0wall that 192.168.5.*
>addresses are directly reachable on that interface.
>To check m0n0wall's routing table, do "netstat -rn" via
>There are a couple of things to be aware of with traceroute:
>1) Even with correct routing, you may see "holes" if the
>question doesn't return proper ICMP errors. In particular, if the
>machine doesn't, then the traceroute will appear to be "dead
>and beyond that machine.
>2) NATted traceroute is broken in m0n0wall 1.1b14, due to its screwing
>the ICMP checksums in NAT processing. This worked properly in 1.0, so I
>suspect it relates to the ICMP checksum "fixes" in IPFilter
>and 3.4.32, but haven't identified the exact bug yet.
> > This probably has something to do with NAT, because it should just
> > from LAN to OPT1 without having to go out to the internet.
> > dont know what to change in my NAT to correct this.
>In the quick check I just did, it appears that by default the OPT1
>interface is regarded as "LAN-like" for NAT purposes, so NAT
>applied between LAN and OPT1. To verify this, do "ipnat -l"
>and see what interface(s) has/have NAT applied.
> > Under NAT I have a bunch of inbound WAN ports pointing to devices
> > my LAN. Server Nat, 1:1, and Outbound all have nothing in them.
>I presume this includes not enabling "Advanced Outbound NAT".
> Fred Wright
>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch