[ previous ] [ next ] [ threads ]
 
 From:  Fred Wright <fw at well dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Help passing traffic from LAN to OPT1
 Date:  Fri, 9 Jul 2004 13:11:33 -0700 (PDT)
On Thu, 8 Jul 2004, Joe Lagreca wrote:

> Maybe if I start over and explain things from the begining it may help.  
> 
> My network is like this:
> LAN 192.168.0.0/24
> WAN DHCP from cox.net
> OPT1 192.168.5.0/24
[...]
> This is the root of the problem.  The AP has the address 192.168.5.5
> and I cannot ping it from 192.168.0.40 on my LAN.
> 
> However I can ping everything from the m0n0wall itself.  Here is the
> ping output from the m0n0 to various IP's:
[...]
> I have also added a static route from my LAN to the OPT1 network:
> Interface Network            Gateway
> LAN       192.168.5.0/24  192.168.5.1
> 
> I have also created two rules under the OPT1 section of the Rules section:
> Proto Source       Port Destination Port Description  
>   *      LAN net     *      OPT1 net    *     Allow LAN access to OPT1     
>     
>   *      OPT1 net   *       *                *     Default OPT1 -> any
> 
> The first is to allow packets from my LAN to pass onto OPT1.  The
> second rule is to allow packets from OPT1 to pass to anywhere,
> thinking this would allow packets to the LAN or WAN.

The first rule, if it were needed, would need to be in the LAN section,
not the OPT1 section.  The concept is that the rules determine what
traffic origination is allowed *in* from a given interface.  However, if
you have the default rule allowing traffic from LAN to anywhere, then it's
superfluous.

> Fred, I know you told me before I didnt need a static route between
> LAN and OPT1, but when I remove it, the m0n0 can't seem to ping OPT1.

That indicates that something is wrong, since that route should be implied
by the interface configuration.  I suspect you have the netmask wrong, but
you have yet to answer my question about that from my earlier post.  It
needs to be /24 in this case.

You also haven't answered my question about what default gateway is
configured *in the AP*.  If that's anything other than the m0n0wall's OPT1
IP, then packets from the AP to the LAN won't route correctly.  This can
be worked around with NAT, but that's the less desirable choice.

Getting packets correctly routed *through* the AP is another issue, but
one thing at a time. :-)

> Is it really this complicated to pass traffic between two interfaces? 
> It was simple between LAN and WAN.  But since I added the OPT1 I can't
> for the life of me figure it out.

There are a number of things that make this case more complicated than
just inserting a firewall/router between WAN and LAN, some of which are
m0n0wall-specific and some of which aren't.  The only m0n0wall issue that
I consider a mistake is the inappropriate default netmask on OPT1.  While
treating OPT1 as "hostile" by default is incovenient at times, it's the
conservative choice from a security standpoint.  The need to configure
*other* systems appropriately to make this work isn't specifically related
to m0n0wall at all.

					Fred Wright