[ previous ] [ next ] [ threads ]
 
 From:  "Rodman Frowert" <frowertr at i dash 1 dot net>
 Cc:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] Unable to ping DMZ hosts from LAN
 Date:  Tue, 7 Sep 2004 16:49:03 -0500
Ok this is what I have got so far...

I feel like an idiot.  In the static routing page, I kept putting in the 
OPT1 interface address for the gateway which is 10.10.10.1 instead of 
putting in my LAN interface address which is 192.168.1.1. Duh!

Now the problem I am getting is that when I ping the devices in my DMZ, I 
get "TTL expired in transit".  I think this is because I still don't have 
the destination network setup properly.  At least I got "somehwere".  I 
think...

Rodman
----- Original Message ----- 
From: "Rodman Frowert" <frowertr at i dash 1 dot net>
Cc: <m0n0wall at lists dot m0n0 dot ch>
Sent: Tuesday, September 07, 2004 4:12 PM
Subject: Re: [m0n0wall] Unable to ping DMZ hosts from LAN


>I set that exact rule in my DMZ.  I think my problem is with static 
>routing. I really don't know what I am doing in there.  Am I telling m0n0 
>that when I want to go to "x" network, it needs to use "y" router to get 
>there?
>
> So, for interface on the Static Routing page, I would select LAN, correct? 
> Then I get lost when it asks for the destination network.  Right now, my 
> DMZ is set up as following:
>
> m0n0 OPT1 interface - 10.10.10.1
> switch - 10.10.10.2
> access point 1 - 10.10.10.3
> access point 2 - 10.10.10.4
>
> What would I put for destination network?  For the gateway I am pretty 
> sure I just give it my OPT1 interface which is 10.10.10.1
>
> Thanks for all your continued help guys!
>
> Rodman
>
>
> ----- Original Message ----- 
> From: "Chet Harvey" <chet at pittech dot com>
> To: "Terry Miller" <terry at millfam dot org>
> Cc: "'Rodman Frowert'" <frowertr at i dash 1 dot net>; <m0n0wall at lists dot m0n0 dot ch>
> Sent: Tuesday, September 07, 2004 2:19 PM
> Subject: RE: [m0n0wall] Unable to ping DMZ hosts from LAN
>
>
>> mmmm I don't agree with this as it would defeat the purpose of a DMZ. You
>> should be able to simply add a rule to allow all LAN traffic to the DMZ. 
>> You
>> will need a static route from the LAN to the DMZ since they are on 
>> different
>> networks. That should cover it. You would never want to allow any traffic 
>> from
>> the DMZ to your LAN unless it was for a specific reason.
>>
>> I have a net4521 with one wifi card for internal use (LAN) and the second 
>> as
>> the captive portal in "DMZ" mode. I also have the second NIC as a server 
>> DMZ.
>>
>> I have one rule for each DMZ:
>>
>> Proto:    Source:    Port:    Destination:    Port:
>> *         Lan        *        Opt2            *
>>
>> I also have a static route for LAN > DMZ
>>
>>
>> wish I could see my box from here so I could give a SS.
>>
>>
>>
>> Chet Harvey
>> Pitbull Technologies <http://www.pittech.com/>
>> Protecting your Digital Assets
>> 703.407.7311
>>
>>
>> Quoting Terry Miller <terry at millfam dot org>:
>>
>>> There will also need to be a rule on the lan interface that allows 
>>> traffic
>>> from the dmz to the lan.
>>>
>>>
>>> -----Original Message-----
>>> From: Rodman Frowert [mailto:frowertr at i dash 1 dot net]
>>> Sent: Tuesday, September 07, 2004 11:47 AM
>>> To: m0n0wall at lists dot m0n0 dot ch
>>> Subject: Re: [m0n0wall] Unable to ping DMZ hosts from LAN
>>>
>>>
>>> Hey Terry,
>>>
>>> Yes the machines (actually they are wireless access points) are set to
>>> respond to pings.  I can ping them through the webgui interface of m0n0 
>>> just
>>>
>>> fine.  They are also set to use m0n0 as their gateway.  They work just 
>>> fine
>>> as far as using them for access points for my hotspot.  I just can't 
>>> talk to
>>>
>>> them from my LAN. :-(
>>>
>>> >Do the firewalls allow telnet and ICMP?
>>>
>>> Well, they only firewall for my LAN device is:
>>>
>>> Proto:    Source:    Port:    Destination:    Port:
>>> *            Lan net       *       *                    *
>>>
>>> I assume this would allow anything to pass to the DMZ (as well as 
>>> everywhere
>>>
>>> else) as long as I don't specifically have a rule set for the DMZ 
>>> interface
>>> to block LAN requests...
>>>
>>> I tried setting up a firewall rule in the DMZ and put it at the top that
>>> had:
>>>
>>> Proto:    Source:    Port:    Destination:    Port:
>>> *            Lan net       *       DMZ            *
>>>
>>> and...
>>>
>>> Proto:    Source:    Port:    Destination:    Port:
>>> *            *             *         *                    *
>>>
>>> Neither of these had any effect.  I still can't talk to any of the AP's 
>>> in
>>> my DMZ from my LAN.
>>>
>>> Rodman
>>>
>>> ----- Original Message ----- 
>>> From: "Terry Miller" <terry at millfam dot org>
>>> To: <m0n0wall at lists dot m0n0 dot ch>
>>> Sent: Tuesday, September 07, 2004 11:18 AM
>>> Subject: RE: [m0n0wall] Unable to ping DMZ hosts from LAN
>>>
>>>
>>> Is the machine in the dmz set to use monowall as the default gateway and
>>> respond to pings? Do the firewalls allow telnet and ICMP?
>>>
>>> I was just burned on step 1 last week.
>>>
>>>
>>>
>>> -----Original Message-----
>>> From: Rodman Frowert [mailto:frowertr at i dash 1 dot net]
>>> Sent: Tuesday, September 07, 2004 10:34 AM
>>> Cc: m0n0wall at lists dot m0n0 dot ch
>>> Subject: [m0n0wall] Unable to ping DMZ hosts from LAN
>>>
>>>
>>> Hey guys,
>>>
>>> I looked through the archives and didn't find any answers I thought 
>>> would be
>>>
>>> beneficial to me so I thought I would ask.  I can't seem to ping 
>>> anything in
>>>
>>> the DMZ (other than my m0n0 DMZ interface) from my LAN.  Now I can ping 
>>> DMZ
>>> hosts from the m0n0 GUI, however.
>>>
>>> Is there something that is set that is preventing me from talking to DMZ
>>> hosts from my LAN?  I only have one LAN rule and it is the default rule 
>>> that
>>>
>>> was enabled with m0n0 was installed:  Default LAN --> any.  The DMZ 
>>> rules I
>>> have set apply to what can come out of the DMZ only because this is my
>>> hotspot.
>>>
>>> I would like to eventually put a webserver in my DMZ, so you can imagine 
>>> I
>>> at least need telnet access to the machine from my LAN.
>>>
>>> My LAN is 192.168.1.x/24
>>> My DMZ is 10.10.10.x/24
>>>
>>> What am I missing?  Am I going to have to bridge these two to do what I 
>>> want
>>>
>>> to do?
>>>
>>> Rodman
>>>
>>>
>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>>> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>>
>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>>> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>>> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>>
>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>>> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>>
>>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>