[ previous ] [ next ] [ threads ]
 
 From:  Joe Lagreca <lagreca at gmail dot com>
 To:  Fred Wright <fw at well dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Help passing traffic from LAN to OPT1
 Date:  Thu, 8 Jul 2004 23:22:13 -0700
I'm sorry, I must be completely dense because I just can't figure this
out, and it seems like it should be very simple.

Maybe if I start over and explain things from the begining it may help.  

My network is like this:
LAN 192.168.0.0/24
WAN DHCP from cox.net
OPT1 192.168.5.0/24

The LAN card plugs into a switch/hub which all of my home computers
plug into to share my internet connection.  The WAN card connects to
my cable modem.  The OPT1 connects directly to switch/hub on my
Siemens wireless access point (the link light is lit on both the card
and the AP).

My thinking was that I would separate all of my wireless users from my
personal LAN.  That way my neighbors or anyone passing by can get
online, but not access any of my personal machines.

However, I want my LAN to be able to access everything on the wireless
network, or OPT1 port.  This will allow me to configure the AP from
the LAN and possibly connect to a wireless user.

This is the root of the problem.  The AP has the address 192.168.5.5
and I cannot ping it from 192.168.0.40 on my LAN.

However I can ping everything from the m0n0wall itself.  Here is the
ping output from the m0n0 to various IP's:

PING 192.168.0.1 (192.168.0.1): 56 data bytes
64 bytes from 192.168.0.1: icmp_seq=0 ttl=64 time=0.458 ms
64 bytes from 192.168.0.1: icmp_seq=1 ttl=64 time=0.218 ms
64 bytes from 192.168.0.1: icmp_seq=2 ttl=64 time=0.199 ms

--- 192.168.0.1 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.199/0.292/0.458/0.118 ms

PING 192.168.0.40 (192.168.0.40): 56 data bytes
64 bytes from 192.168.0.40: icmp_seq=0 ttl=128 time=0.651 ms
64 bytes from 192.168.0.40: icmp_seq=1 ttl=128 time=0.475 ms
64 bytes from 192.168.0.40: icmp_seq=2 ttl=128 time=0.443 ms

--- 192.168.0.40 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.443/0.523/0.651/0.091 ms

PING 192.168.5.1 (192.168.5.1): 56 data bytes
64 bytes from 192.168.5.1: icmp_seq=0 ttl=64 time=0.356 ms
64 bytes from 192.168.5.1: icmp_seq=1 ttl=64 time=0.206 ms
64 bytes from 192.168.5.1: icmp_seq=2 ttl=64 time=0.209 ms

--- 192.168.5.1 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.206/0.257/0.356/0.070 ms

PING 192.168.5.5 (192.168.5.5): 56 data bytes
64 bytes from 192.168.5.5: icmp_seq=0 ttl=64 time=1.837 ms
64 bytes from 192.168.5.5: icmp_seq=1 ttl=64 time=1.844 ms
64 bytes from 192.168.5.5: icmp_seq=2 ttl=64 time=1.640 ms

--- 192.168.5.5 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.640/1.774/1.844/0.095 ms

I have also added a static route from my LAN to the OPT1 network:
Interface Network            Gateway
LAN       192.168.5.0/24  192.168.5.1

I have also created two rules under the OPT1 section of the Rules section:
Proto Source       Port Destination Port Description  
  *      LAN net     *      OPT1 net    *     Allow LAN access to OPT1     
    
  *      OPT1 net   *       *                *     Default OPT1 -> any

The first is to allow packets from my LAN to pass onto OPT1.  The
second rule is to allow packets from OPT1 to pass to anywhere,
thinking this would allow packets to the LAN or WAN.

Fred, I know you told me before I didnt need a static route between
LAN and OPT1, but when I remove it, the m0n0 can't seem to ping OPT1.

Is it really this complicated to pass traffic between two interfaces? 
It was simple between LAN and WAN.  But since I added the OPT1 I can't
for the life of me figure it out.

Please keep in mind I'm not very savvy at networking, just taking a
shot in the dark with m0n0wall.  Any or all of what I have done could
be wrong.

Thank you all for your help!

Joe

On Sat, 3 Jul 2004 17:42:29 -0700 (PDT), Fred Wright <fw at well dot com> wrote:
> 
> On Sat, 3 Jul 2004, Dan O'Brien wrote:
> 
> > I am having similar problems to this. I have a web server attached to
> > monowall on it's own NIC, but if i don't have the 'opt1' interface binded to
> > the 'LAN' interface i can't see, ping, tracert, etc between the two
> > networks. Anything on the LAN interface works fine, i can get out to the
> > internet and vice versa, but from the 'OPT1' network i can do nothing.
> > I set up firewall and NAT rules to duplicate the LAN rules on OPT1 and it
> > still doesn't work. Any suggestions. I have been following this thread very
> > closely and everything that has been suggested hasn't worked for me
> 
> You'll need to be more specific about the config, but you also need to
> check things in stages.  If the interface is configured correctly, you
> should be able to ping the webserver from the m0n0wall itself.  If that
> doesn't work, see my note about the netmask.
> 
> Once that works, it won't make the webserver accessible from anywhere else
> unless you do one of two things:
> 
> 1) Configure the webserver to have the m0n0wall as the route to "anywhere
> of interest", which in this configuration almost certainly measn amking
> the m0n0wall its default gateway.
> 
> 2) Enable NAT on the OPT1 interface.  But beware that this requires
> enabling "Advanced Outbound NAT", which is *instead of* the default NAT
> setup rather than *in addition to*, so you'll need to add at least one NAT
> rule to restore outbound NAT on the WAN.
> 
> I suspect #1 is what you want.
> 
>                                        Fred Wright
> 
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> 
>