[ previous ] [ next ] [ threads ]
 
 From:  "Ryan Giobbi" <rgiobbi at zoominternet dot net>
 To:  "'James W. McKeand'" <james at mckeand dot biz>
 Cc:  "'Franz Lippi'" <lippi dot franz at blastministries dot net>, <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] cant get traffic thru firewall - WAN setup problem?
 Date:  Tue, 13 Jul 2004 13:14:19 -0400
How else could you use m0n0wall with an ISDN internet connection? This would
allow him to use m0n0wall which offers a greater feature set than his
current netgear.

I probably wouldn't set this up, but I can see the reason. 

-----Original Message-----
From: James W. McKeand [mailto:james at mckeand dot biz] 
Sent: Tuesday, July 13, 2004 1:08 PM
To: 'Ryan Giobbi'
Cc: 'Franz Lippi'; m0n0wall at lists dot m0n0 dot ch
Subject: RE: [m0n0wall] cant get traffic thru firewall - WAN setup problem?

Franz already confirmed that the Netgear is doing a NAT. This is the default
behavior of the RT338.  The RT338 also acts as a DHCP server, a DNS Proxy,
and does port forwarding - much like m0n0wall. There is no DMZ on the RT338
- it is a simple Dialup-ISDN to Ethernet NAT router. There is a single
Ethernet port and can only support a single IP subnet on this "LAN" side.

Franz could point the "default" on the Netgear's "Multiple Server
Configuration" page (see page 6-4 of the RT338 manual-ftp link below) to the
m0n0wall's WAN IP to pass all traffic. Then set up NAT on m0n0wall to direct
traffic to web server on LAN.

Maybe I did not state it clearly enough, let me restate it:
Private Subnet 2 could be any other private subnets (192.168.x.x/24,
172.16.x.x/12, 10.x.x.x/8) except the same as Private Subnet 1 (i.e.
192.168.1.0/24, but not 192.168.0.0/24)

(Internet)
  |
(WAN: Static Public IP)
  Netgear RT338
(LAN: 192.168.0.1/24)
  |
(WAN: 192.168.0.2/24 GW 192.168.0.1)
  m0n0wall
(LAN: 172.16.0.1/24)
  |
(PCs)

I have heard of belt and suspenders security (hardware firewall and software
firewall). This would be like two belts. Is this really necessary? Other
than a complex setup what would this accomplish?

James.


-----Original Message-----
From: Ryan Giobbi [mailto:rgiobbi at zoominternet dot net]
Sent: Tuesday, July 13, 2004 12:33 PM
To: James W. McKeand
Cc: 'Franz Lippi'; m0n0wall at lists dot m0n0 dot ch
Subject: Re: [m0n0wall] cant get traffic thru firewall - WAN setup problem?

He's probably just using the netgear as a way of turning his ISDN interface
to ethernet........once he gets it working, he could put the m0n0wall box
inside the netgear's DMZ simplifying things some.

It is awkward, but m0n0wall doesn't have ISDN modem/card support (or does
it)?

I think he'll also need to have the m0n0wall's LAN interface be on an
entirely different subnet than the netgear's LAN interface.

James W. McKeand wrote:

> 
>Do you really need a second NAT? Your network will look something like:
>
>(Internet)
>  |
>(Public IP >> NAT << Private Subnet 1) - Netgear RT338
>  |
>(Private Subnet 1 >> NAT << Private Subnet 2) - m0n0wall
>  |
>(LAN)
>
>Private Subnet 1 is already 192.168.0.1/24 (subnet mask of 
>255.255.255.0 is
>default)
>Private Subnet 2 could be any other private subnets (192.168.0.0/24, 
>172.16.0.0/12, 10.0.0.0/8) except 192.168.0.0/24 ;-)
>
>Setting the WAN of the m0n0wall to DHCP (as previously suggested by 
>Ryan
>Giobbi) would do the trick. But then you would need some complex rules 
>to allow traffic to the LAN.
>
>What are you intending to stop with a second NAT? Do you have a 
>specific problem you are trying to solve with the addition of the m0n0wall?
>
>BTW, here is where you can find the manual for your router, if you have 
>lost
>it: ftp://downloads.netgear.com/files/netgear1/rt338refguide.pdf I get 
>board and read things... ;-)
>
>James.
>
>-----Original Message-----
>From: Franz Lippi [mailto:lippi dot franz at blastministries dot net]
>Sent: Tuesday, July 13, 2004 11:55 AM
>To: James W. McKeand
>Subject: Re: [m0n0wall] cant get traffic thru firewall - WAN setup problem?
>
>YES thats correct
>------
>
>James W. McKeand wrote:
>
>  
>
>>Sounds like the Netgear ISDN Router is already doing NAT. (thus the 
>>non-routable 192.168.0.1 IP and a Non-disclosed Public IP address - 
>>MyWWWStatic IP)
>>
>>I am assuming that without the m0n0wall, your network PCs get out to 
>>the internet and people can get to your web server on the LAN.
>>
>> 
>>
>>    
>>
>YES thats correct
>------
>
>  
>
>>________________
>>James W. McKeand
>>
>>-----Original Message-----
>>From: Franz Lippi [mailto:lippi dot franz at blastministries dot net]
>>Sent: Tuesday, July 13, 2004 10:37 AM
>>To: m0n0wall at lists dot m0n0 dot ch
>>Subject: [m0n0wall] cant get traffic thru firewall - WAN setup problem?
>>
>>Hi,
>>I am a m0n0wall newbie, looks like a great product and comes with high 
>>recommodation, but I got stuck.....description of what I did so far:
>>
>>I have set up a computer w 2 NICs, tested them physically on the local 
>>lan side, works fine.
>>
>>this is my setup:
>>
>>ISP over ISDN dialin; I get the the same IP Adress at every dialin 
>>(MyWWWStatic IP ) , the netgear ISDN Router handles that
>>   |
>>-------------------------------
>>Ethernet to ISDN Router (Netgear RT338)     Router IP: 192.168.0.1
>>-------------------------------
>>   |
>>-------------------------------
>>Monowall NIC "WAN"   (setup: static IP adress (MyWWWStatic IP) w default 
>>gateway pointing to Netgear Router (192.168.0.1)) Monowall NIC "LAN",
>>192.168.0.25
>>-------------------------------
>>  |
>>---------------------------------------------
>>Local Network w PCs 192.168.0.10-35
>>---------------------------------------------
>>
>>WAN config:
>>I tried to put the WAN NIC to a static IP adress (MyWWWStatic IP) w 
>>default gateway pointing to Netgear Router (192.168.0.1) I can access 
>>the webGUI over the Local LAN; I put in rules for  WAN , TCP protokoll
>>* * * * allow traffic, for  LAN proto *,  Source LAN-net, *  *  * 
>>allow traffic
>>
>>I thought this is a pretty forward setup, BUT I  CNAT BRING ANY 
>>TRAFIIC OVER THE FIREWALL.
>>
>>Am I sitting on my brain or
>>has the fact that my IF to the ISP is a Eth 2 ISDN router something to 
>>do with it?
>>Do you have any ideas?
>>
>>Grateful for help!!
>>Franz Lippi
>>
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>
>>
>>
>> 
>>
>>    
>>
>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>
>
>  
>