Re: [m0n0wall] cant get traffic thru firewall

From:	Franz Lippi <lippi dot franz at blastministries dot net>
To:	Ryan Giobbi <rgiobbi at zoominternet dot net>
Cc:	"'James W. McKeand'" <james at mckeand dot biz>, m0n0wall at lists dot m0n0 dot ch
Subject:	Re: [m0n0wall] cant get traffic thru firewall - WAN setup problem?
Date:	Wed, 14 Jul 2004 00:11:24 +0200
I think I am going to throw the towel on this one and tune the NAT on 
the Netgear rt338 (just suspenders....:-)). REALLY THANK YOU for your input.
Franz lippi
....................
Ryan Giobbi wrote:

>How else could you use m0n0wall with an ISDN internet connection? This would
>allow him to use m0n0wall which offers a greater feature set than his
>current netgear.
>
>I probably wouldn't set this up, but I can see the reason. 
>
>-----Original Message-----
>From: James W. McKeand [mailto:james at mckeand dot biz] 
>Sent: Tuesday, July 13, 2004 1:08 PM
>To: 'Ryan Giobbi'
>Cc: 'Franz Lippi'; m0n0wall at lists dot m0n0 dot ch
>Subject: RE: [m0n0wall] cant get traffic thru firewall - WAN setup problem?
>
>Franz already confirmed that the Netgear is doing a NAT. This is the default
>behavior of the RT338.  The RT338 also acts as a DHCP server, a DNS Proxy,
>and does port forwarding - much like m0n0wall. There is no DMZ on the RT338
>- it is a simple Dialup-ISDN to Ethernet NAT router. There is a single
>Ethernet port and can only support a single IP subnet on this "LAN" side.
>
>Franz could point the "default" on the Netgear's "Multiple Server
>Configuration" page (see page 6-4 of the RT338 manual-ftp link below) to the
>m0n0wall's WAN IP to pass all traffic. Then set up NAT on m0n0wall to direct
>traffic to web server on LAN.
>
>Maybe I did not state it clearly enough, let me restate it:
>Private Subnet 2 could be any other private subnets (192.168.x.x/24,
>172.16.x.x/12, 10.x.x.x/8) except the same as Private Subnet 1 (i.e.
>192.168.1.0/24, but not 192.168.0.0/24)
>
>(Internet)
>  |
>(WAN: Static Public IP)
>  Netgear RT338
>(LAN: 192.168.0.1/24)
>  |
>(WAN: 192.168.0.2/24 GW 192.168.0.1)
>  m0n0wall
>(LAN: 172.16.0.1/24)
>  |
>(PCs)
>
>I have heard of belt and suspenders security (hardware firewall and software
>firewall). This would be like two belts. Is this really necessary? Other
>than a complex setup what would this accomplish?
>
>James.
>
>
>-----Original Message-----
>From: Ryan Giobbi [mailto:rgiobbi at zoominternet dot net]
>Sent: Tuesday, July 13, 2004 12:33 PM
>To: James W. McKeand
>Cc: 'Franz Lippi'; m0n0wall at lists dot m0n0 dot ch
>Subject: Re: [m0n0wall] cant get traffic thru firewall - WAN setup problem?
>
>He's probably just using the netgear as a way of turning his ISDN interface
>to ethernet........once he gets it working, he could put the m0n0wall box
>inside the netgear's DMZ simplifying things some.
>
>It is awkward, but m0n0wall doesn't have ISDN modem/card support (or does
>it)?
>
>I think he'll also need to have the m0n0wall's LAN interface be on an
>entirely different subnet than the netgear's LAN interface.
>
>James W. McKeand wrote:
>
>  
>
>>Do you really need a second NAT? Your network will look something like:
>>
>>(Internet)
>> |
>>(Public IP >> NAT << Private Subnet 1) - Netgear RT338
>> |
>>(Private Subnet 1 >> NAT << Private Subnet 2) - m0n0wall
>> |
>>(LAN)
>>
>>Private Subnet 1 is already 192.168.0.1/24 (subnet mask of 
>>255.255.255.0 is
>>default)
>>Private Subnet 2 could be any other private subnets (192.168.0.0/24, 
>>172.16.0.0/12, 10.0.0.0/8) except 192.168.0.0/24 ;-)
>>
>>Setting the WAN of the m0n0wall to DHCP (as previously suggested by 
>>Ryan
>>Giobbi) would do the trick. But then you would need some complex rules 
>>to allow traffic to the LAN.
>>
>>What are you intending to stop with a second NAT? Do you have a 
>>specific problem you are trying to solve with the addition of the m0n0wall?
>>
>>BTW, here is where you can find the manual for your router, if you have 
>>lost
>>it: ftp://downloads.netgear.com/files/netgear1/rt338refguide.pdf I get 
>>board and read things... ;-)
>>
>>James.
>>
>>-----Original Message-----
>>From: Franz Lippi [mailto:lippi dot franz at blastministries dot net]
>>Sent: Tuesday, July 13, 2004 11:55 AM
>>To: James W. McKeand
>>Subject: Re: [m0n0wall] cant get traffic thru firewall - WAN setup problem?
>>
>>YES thats correct
>>------
>>
>>James W. McKeand wrote:
>>
>> 
>>
>>    
>>
>>>Sounds like the Netgear ISDN Router is already doing NAT. (thus the 
>>>non-routable 192.168.0.1 IP and a Non-disclosed Public IP address - 
>>>MyWWWStatic IP)
>>>
>>>I am assuming that without the m0n0wall, your network PCs get out to 
>>>the internet and people can get to your web server on the LAN.
>>>
>>>
>>>
>>>   
>>>
>>>      
>>>
>>YES thats correct
>>------
>>
>> 
>>
>>    
>>
>>>________________
>>>James W. McKeand
>>>
>>>-----Original Message-----
>>>From: Franz Lippi [mailto:lippi dot franz at blastministries dot net]
>>>Sent: Tuesday, July 13, 2004 10:37 AM
>>>To: m0n0wall at lists dot m0n0 dot ch
>>>Subject: [m0n0wall] cant get traffic thru firewall - WAN setup problem?
>>>
>>>Hi,
>>>I am a m0n0wall newbie, looks like a great product and comes with high 
>>>recommodation, but I got stuck.....description of what I did so far:
>>>
>>>I have set up a computer w 2 NICs, tested them physically on the local 
>>>lan side, works fine.
>>>
>>>this is my setup:
>>>
>>>ISP over ISDN dialin; I get the the same IP Adress at every dialin 
>>>(MyWWWStatic IP ) , the netgear ISDN Router handles that
>>>  |
>>>-------------------------------
>>>Ethernet to ISDN Router (Netgear RT338)     Router IP: 192.168.0.1
>>>-------------------------------
>>>  |
>>>-------------------------------
>>>Monowall NIC "WAN"   (setup: static IP adress (MyWWWStatic IP) w default 
>>>gateway pointing to Netgear Router (192.168.0.1)) Monowall NIC "LAN",
>>>192.168.0.25
>>>-------------------------------
>>> |
>>>---------------------------------------------
>>>Local Network w PCs 192.168.0.10-35
>>>---------------------------------------------
>>>
>>>WAN config:
>>>I tried to put the WAN NIC to a static IP adress (MyWWWStatic IP) w 
>>>default gateway pointing to Netgear Router (192.168.0.1) I can access 
>>>the webGUI over the Local LAN; I put in rules for  WAN , TCP protokoll
>>>* * * * allow traffic, for  LAN proto *,  Source LAN-net, *  *  * 
>>>allow traffic
>>>
>>>I thought this is a pretty forward setup, BUT I  CNAT BRING ANY 
>>>TRAFIIC OVER THE FIREWALL.
>>>
>>>Am I sitting on my brain or
>>>has the fact that my IF to the ISP is a Eth 2 ISDN router something to 
>>>do with it?
>>>Do you have any ideas?
>>>
>>>Grateful for help!!
>>>Franz Lippi
>>>
>>>
>>>---------------------------------------------------------------------
>>>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>>>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>>
>>>
>>>
>>>
>>>
>>>   
>>>
>>>      
>>>
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>
>>
>>
>> 
>>
>>    
>>
>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>
>  
>