[ previous ] [ next ] [ threads ]
 From:  "James W. McKeand" <james at mckeand dot biz>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Cc:  "'Sven Kobow'" <s dot kobow at maul dash theet dot de>
 Subject:  RE: [m0n0wall] Problems with DNS server replication
 Date:  Fri, 3 Sep 2004 10:46:24 -0400
I think that this is a firewall issue not a NAT issue. By default, the DMZ
interface will not be able to talk to *ANYTHING*. The firewall rule on the
LAN interface that states LAN net:any -> *.any will allow the LAN to talk to
the DMZ and WAN. If you want the DMZ to talk to the LAN you will have to add
a rule or rules to allow the traffic. You can create a Pass DMZ net:any ->
*:any, but this would be insecure. I would recommend that you only open the
ports that are absolutely needed. If you need the DMZ to talk to your DNS,
open DNS. Other than DNS what traffic do you want to pass from DMZ to LAN?

On the types of NAT: 
Inbound NAT is when you map specific ports destined for your WAN IP to be
forwarded to an Internal IP (LAN or DMZ). You will need to add firewall
rules (can be done automatically) to allow the traffic. (Other firewalls
call this "port forwarding")

Server NAT is when you want a multiple IPs on the WAN interface - you may
need Proxy ARP for the external IPs to work - depends on your WAN
connection. You can then add Inbound NAT using these additional IPs. See
Inbound NAT above - firewall rule creation still applies.

1:1 NAT is when you map *ALL* ports of an external IP to *ALL* ports of an
internal IP - again you may need Proxy ARP for the external IPs to work. I
believe you still need to add firewall rules to allow traffic into the IP
(not done automatically). I have not used this, but that is how I *THINK* it
is supposed to work. (Correct me if I am wrong...) What I am *NOT* sure of
is how the firewall rules are written. For the external IP or the internal
IP? On the WAN interface or LAN/DMZ interface? Or External IP for WAN
interface and Internal IP for LAN/DMZ?

Outbound NAT - I really have no Idea, this is my theory. I have read the
description on the WebGUI. I think you can make outbound packets look like
they are originating from an IP other than the default WAN IP. For example
WAN IP is with as an additional external IP. Packets from (on the LAN) look like they originated from instead of (default WAN IP). You would need to create multiple rules, some to
handle specific source IPs and some generic source IPs. This is because with
this enabled, automatic mappings are *NOT* created. With this Disabled WAN
IP is used by default and mappings are automatically created. Again, I do
not use this, this is just my theory on how it works. Someone correct me if
I am wrong.

Related: Proxy ARP allows the WAN interface to respond for IPs other than
the WAN IP - only works when WAN is static IP or DHCP (not for PPPOE/PPTP). 

Most of this is paraphrased from notes on the WebGUI.

James W. McKeand

-----Original Message-----
From: Sven Kobow [mailto:s dot kobow at maul dash theet dot de] 
Sent: Friday, September 03, 2004 5:07 AM
To: James W. McKeand
Subject: Re: [m0n0wall] Problems with DNS server replication

I tried to get the explained solution to work but without any success.
But i think I found out what is going wrong:

I discovered that I can not access any machine in my internal network from
my DMZ but I'm not having any problems the other way round. I configure my
monowall to do 1:1 NAT on the WAN interface. I am not so familiar with the
different types of NAT so that was the only type that i got working. I guess
I have to configure NAT from the DMZ to LAN to get things working, right?
Can anybody explain the different type of NAT to me or tell me the most
secure way to solve the problem?



James W. McKeand wrote:
> I think you need two rules:
> Interface Source  : Port -> Dest    : Port
> DMZ       <BIND>  : 53   -> <MS DNS>: 53
> LAN       <MS DNS>: 53   -> <BIND>  : 53
> <BIND> being your Linux box on your DMZ <MS DNS> being your Microsoft 
> box on LAN (AT from the syslog
> below)
> I would suggest setting up alias for your MS and Linux Box - these are 
> just shortcuts for creating firewall and NAT rules. In other words you 
> can use the name of your box instead of the IP address when creating 
> rules. The other advantage is that if you need to change the IP of a 
> server, do not need to edit *ALL* the rules - just the alias.
> If the rules don't work, it could be a problem with the Microsoft DNS 
> not accepting the connection from the Linux box. I am assuming that 
> this worked before you setup the m0n0wall. On the zone in question, is 
> the Linux box listed as a Name Server for the zone (I assume yes)? Is 
> zone transfers enabled (mine is *NOT* by default - SBS2003)? Is the 
> Linux box shown as "allowed" to zone transfer? What IPs are shown - have
these changed?
> _________________________________
> James W. McKeand
> -----Original Message-----
> From: Sven Kobow [mailto:s dot kobow at maul dash theet dot de]
> Sent: Thursday, September 02, 2004 6:21 AM
> To: m0n0wall mailling list
> Subject: [m0n0wall] Problems with DNS server replication
> Hi,
> I need the following problem to be solved:
> I got my internal net and a DMZ 192.168.0./24 
> connected by m0n0wall. In both subnets are DNS (MS DNS internal, BIND 
> DMZ) servers. The DNS server in my internal net has the master zone 
> for my domain and the DNS in the DMZ has a slave zone. The problem is 
> that replication does not work properly. I checked syslog on my Linux box
running BIND and found:
> Sep  2 12:13:30 <LINUXBOX> /usr/sbin/named[11906]: refresh_callback:
> zone foo.bar/IN: failure for timed out Sep  2 
> 12:13:30 <LINUXBOX> /usr/sbin/named[11906]: refresh_callback:
> zone foo.bar/IN: retries exceeded
> I need to know how to setup rules for this to work!
> Thanx
> Sven

Mit freundlichen Grüßen

Sven Kobow

Maul-Theet Systeme GmbH
Mannheimer Str. 33-34
D-10713 Berlin

Tel.: +49(0)30 861 14 20
FAX : +40(0)30 86 40 96 81