Bogus

I have two m0n0walls running on net48xx hardware and 1.231.  One of the boxes (the one that works) has three ethernet interfaces.  The box that does not work has five ethernet interfaces.

I cleared the log, disabled DNS updater and then enabled DNS updater.  On the box that fails, here is what the logs look like:

Mar 8 18:45:43 /usr/local/bin/ez-ipupdate[444]: failure to update ng0->76.237.0.81 (headingup.com)
Mar 8 18:39:28 /usr/local/bin/ez-ipupdate[444]: failure to update ng0->76.237.0.81 (headingup.com)
Mar 8 18:38:13 /usr/local/bin/ez-ipupdate[444]: malformed cache file: /var/db/ez-ipupdate.cache
Mar 8 18:38:13 /usr/local/bin/ez-ipupdate[444]: /usr/local/bin/ez-ipupdate started for interface ng0 host headingup.com using server members.dyndns.org and service dyndns-custom
Mar 8 18:38:13 /usr/local/bin/ez-ipupdate[444]: ez-ipupdate Version 3.0.11b8, Copyright (C) 1998-2001 Angus Mackay.
Mar 8 18:38:12 /usr/local/bin/ez-ipupdate[383]: received SIGQUIT, shutting down

Notice the "failure to update ng0 -> 76.237.0.81".

On the box that works (only three interfaces) this is what the logs look like:

Last 50 system log entries
Mar 8 18:34:40 /usr/local/bin/ez-ipupdate[52054]: received SIGQUIT, shutting down
Mar 8 18:34:52 /usr/local/bin/ez-ipupdate[52123]: ez-ipupdate Version 3.0.11b8, Copyright (C) 1998-2001 Angus Mackay.
Mar 8 18:34:52 /usr/local/bin/ez-ipupdate[52123]: /usr/local/bin/ez-ipupdate started for interface sis1 host headingup.com using server members.dyndns.org and service dyndns-custom
Mar 8 18:34:52 /usr/local/bin/ez-ipupdate[52123]: malformed cache file: /var/db/ez-ipupdate.cache
Mar 8 18:34:52 /usr/local/bin/ez-ipupdate[52123]: successful update for sis1->10.43.7.10 (headingup.com)

Please notice the "malformed cache file" on both the good and the bad box.  This one did infact update DYNDNS with 10.43.7.10 which is a private ip address.

I reconfigured the five interface box from scratch and it still does not work.  Could this problem has something to do with the uniqueness of the "ng0" interface?

Thanks, Greg

I am concerned about the level of support available with m0n0wall at this time.  There is a great deal of interest in this thread (160 viewings) for a problem that seems to be very well defined. 

Would it be fair to assume that m0n0wall is not longer being supported by a product development team?  If this is the case, are the only available support options by other users and reading the code ourselves?

Thanks in advance for any feedback here!  Greg

PS.  I believe m0n0wall is a great product and I have much invested in terms of time learning the system and purchasing hardware for m0n0wall to run on.  It is really too bad to think that such a great product is now not being supported.

If you want a more active project with better access to the developers, check out pfSense.  However, if you want the best embeded firewall bar none, it's m0n0wall.  I agree with your observations but that is something I have learned to live with.  That often means I need to be creative and flexible to find a solution that works and that I can support myself.  Eventually known problems get fixed and features get added and I then take advantage those.  Since I'm not a coder, I really can't add a lot to the project but I really appreciate those who do all the heavy brain work.

CS...

Would it be fair to assume that m0n0wall is not longer being supported by a product development team?

m0n0wall has never been "supported by a product development team". Anyone can provide code for new features and patches, and if they fit in with the general scheme, they will eventually be included. If nobody does, then things just stay the same.

If this is the case, are the only available support options by other users and reading the code ourselves?

Yes. That's the way free software works. Or have you paid someone for m0n0wall support? I guess not, and you (hopefully) haven't had to pay for m0n0wall either, so you also can't demand a quick solution for a problem that could just as well be related to a configuration issue on your side.

How about posting the config.xml of the box where the DynDNS update doesn't work? That would at least give someone else (perhaps me) a chance to reproduce the problem.

Thank you for the reply!  You are correct that I have not paid anything for m0n0wall support and that I should not expect fast turnaround on fixes as a result.  I have taken m0n0wall into a commercial application which may have not been smart on my part.  I appologize for sounding demanding -- my goal was to determine the level of support that is available for the product -- and I now know.  Please know that not all open source free software has the same level of support.  Taking CentOS and/or Apache into a commercial environment is something I would not think twice about due to the level of support available on these products.

m0n0wall is a GREAT contribution to the open source community.  Thank you again for your attention to quality and followup on concerns for users.  Please also find the PayPal Donation that we just made.  We really do appreciate the work you are doing here.

The xml you requested is attached below (by the way, I tried to attach the file but xml is not a valid filetype).

<?xml version="1.0"?>
<m0n0wall>
   <version>1.6</version>
   <lastchange>1205030290</lastchange>
   <system>
      <hostname>gateway</hostname>
      <domain>localdomain</domain>
      <dnsallowoverride/>
      <username>admin</username>
      <password>xxpasswordxx</password>
      <timezone>America/Los_Angeles</timezone>
      <time-update-interval>300</time-update-interval>
      <timeservers>pool.ntp.org</timeservers>
      <webgui>
         <protocol>http</protocol>
         <port/>
         <certificate/>
         <private-key/>
      </webgui>
   </system>
   <interfaces>
      <lan>
         <if>sis1</if>
         <ipaddr>10.43.6.1</ipaddr>
         <subnet>24</subnet>
         <media/>
         <mediaopt/>
      </lan>
      <wan>
         <if>sis0</if>
         <mtu/>
         <media/>
         <mediaopt/>
         <spoofmac/>
         <ipaddr>pppoe</ipaddr>
      </wan>
      <opt1>
         <descr>Backhaul</descr>
         <if>sis2</if>
         <ipaddr>10.43.7.1</ipaddr>
         <subnet>24</subnet>
         <bridge/>
         <enable/>
      </opt1>
      <opt2>
         <descr>Johnson</descr>
         <if>sis3</if>
         <ipaddr>10.43.8.1</ipaddr>
         <subnet>24</subnet>
         <bridge/>
         <enable/>
      </opt2>
      <opt3>
         <descr>WebSwitch</descr>
         <if>sis4</if>
         <ipaddr>10.43.9.1</ipaddr>
         <subnet>24</subnet>
         <bridge>opt1</bridge>
         <enable/>
         <media>100baseTX</media>
         <mediaopt>full-duplex</mediaopt>
      </opt3>
   </interfaces>
   <staticroutes/>
   <pppoe>
      <username>xxemalixx@sbcglobal.net</username>
      <password>xxpasswordxx</password>
      <provider/>
      <timeout/>
   </pppoe>
   <pptp/>
   <bigpond/>
   <dyndns>
      <type>dyndns-custom</type>
      <username>headingup</username>
      <password>xxpasswordxx</password>
      <host>headingup.com</host>
      <mx/>
      <server/>
      <port/>
      <enable/>
   </dyndns>
   <dnsupdate>
      <host/>
      <ttl>60</ttl>
      <keyname/>
      <keydata/>
   </dnsupdate>
   <dhcpd>
      <lan>
         <enable/>
         <range>
            <from>10.43.6.100</from>
            <to>10.43.6.199</to>
         </range>
         <defaultleasetime/>
         <maxleasetime/>
      </lan>
   </dhcpd>
   <pptpd>
      <mode/>
      <redir/>
      <localip/>
      <remoteip/>
   </pptpd>
   <dnsmasq>
      <enable/>
      <hosts>
         <host>bheast</host>
         <domain>headingup.net</domain>
         <ip>10.43.7.3</ip>
         <descr>Backhaul Radio East</descr>
      </hosts>
      <hosts>
         <host>bhwest</host>
         <domain>headingup.net</domain>
         <ip>10.43.7.2</ip>
         <descr>Backhaul Radio West</descr>
      </hosts>
      <hosts>
         <host>orrranch</host>
         <domain>headingup.net</domain>
         <ip>10.43.7.10</ip>
         <descr>WAN of Sims Router</descr>
      </hosts>
   </dnsmasq>
   <snmpd>
      <syslocation/>
      <syscontact/>
      <rocommunity>xxpasswordxx</rocommunity>
   </snmpd>
   <diag>
      <ipv6nat>
         <ipaddr/>
      </ipv6nat>
   </diag>
   <bridge/>
   <syslog>
      <nentries>500</nentries>
      <remoteserver/>
      <reverse/>
   </syslog>
   <nat>
      <rule>
         <protocol>tcp</protocol>
         <external-port>1-65535</external-port>
         <target>10.43.7.10</target>
         <local-port>1</local-port>
         <interface>wan</interface>
         <descr>All Ports to Orr Ranch</descr>
      </rule>
   </nat>
   <filter>
      <rule>
         <type>pass</type>
         <interface>wan</interface>
         <source>
            <any/>
         </source>
         <destination>
            <address>10.43.7.10</address>
         </destination>
         <descr>All Traffic to Orr Ranch</descr>
      </rule>
      <rule>
         <type>pass</type>
         <interface>opt3</interface>
         <source>
            <network>opt3</network>
         </source>
         <destination>
            <any/>
         </destination>
         <descr>Allow WebSwitch Anywhere</descr>
      </rule>
      <rule>
         <type>pass</type>
         <interface>opt3</interface>
         <protocol>tcp</protocol>
         <source>
            <any/>
         </source>
         <destination>
            <address>10.43.9.10</address>
            <port>80</port>
         </destination>
         <descr>Allow Anyone to Reach WebSwitch 10.43.9.10:80</descr>
      </rule>
      <rule>
         <type>pass</type>
         <interface>opt2</interface>
         <source>
            <network>opt2</network>
         </source>
         <destination>
            <any/>
         </destination>
         <descr>Default Johnson -&gt; Any</descr>
      </rule>
      <rule>
         <type>pass</type>
         <interface>opt1</interface>
         <source>
            <network>opt1</network>
         </source>
         <destination>
            <any/>
         </destination>
         <descr>Default Backhaul -&gt; Any</descr>
      </rule>
      <rule>
         <type>pass</type>
         <interface>opt1</interface>
         <source>
            <any/>
         </source>
         <destination>
            <network>opt1</network>
         </destination>
         <descr/>
      </rule>
      <rule>
         <type>pass</type>
         <interface>lan</interface>
         <source>
            <network>lan</network>
         </source>
         <destination>
            <any/>
         </destination>
         <descr>Default LAN -&gt; any</descr>
      </rule>
      <tcpidletimeout/>
   </filter>
   <ipsec>
      <tunnel>
         <interface>wan</interface>
         <local-subnet>
            <address>10.43.7.0/24</address>
         </local-subnet>
         <remote-subnet>192.168.1.0/24</remote-subnet>
         <remote-gateway>64.142.28.97</remote-gateway>
         <p1>
            <mode>aggressive</mode>
            <myident>
               <myaddress/>
            </myident>
            <encryption-algorithm>3des</encryption-algorithm>
            <hash-algorithm>sha1</hash-algorithm>
            <dhgroup>2</dhgroup>
            <lifetime>28800</lifetime>
            <pre-shared-key>xxkeyxx</pre-shared-key>
            <private-key/>
            <cert/>
            <peercert/>
            <authentication_method>pre_shared_key</authentication_method>
         </p1>
         <p2>
            <protocol>esp</protocol>
            <encryption-algorithm-option>3des</encryption-algorithm-option>
            <hash-algorithm-option>hmac_sha1</hash-algorithm-option>
            <pfsgroup>0</pfsgroup>
            <lifetime>28800</lifetime>
         </p2>
         <descr>Gateway Christian Church LAN</descr>
      </tunnel>
      <tunnel>
         <disabled/>
         <interface>wan</interface>
         <local-subnet>
            <address>10.43.7.0/24</address>
         </local-subnet>
         <remote-subnet>pub-ip/32</remote-subnet>
         <remote-gateway>pub-ip</remote-gateway>
         <p1>
            <mode>aggressive</mode>
            <myident>
               <fqdn>ipsec0</fqdn>
            </myident>
            <encryption-algorithm>3des</encryption-algorithm>
            <hash-algorithm>sha1</hash-algorithm>
            <dhgroup>2</dhgroup>
            <lifetime>3600</lifetime>
            <pre-shared-key>xxkeyxx</pre-shared-key>
            <private-key/>
            <cert/>
            <peercert/>
            <authentication_method>pre_shared_key</authentication_method>
         </p1>
         <p2>
            <protocol>esp</protocol>
            <encryption-algorithm-option>3des</encryption-algorithm-option>
            <hash-algorithm-option>hmac_sha1</hash-algorithm-option>
            <pfsgroup>2</pfsgroup>
            <lifetime>3600</lifetime>
         </p2>
         <descr>raystedman.org</descr>
      </tunnel>
      <enable/>
   </ipsec>
   <aliases/>
   <proxyarp/>
   <wol/>
   <shaper>
      <pipe>
         <descr>m_Total Upload</descr>
         <bandwidth>387</bandwidth>
      </pipe>
      <pipe>
         <descr>m_Total Download</descr>
         <bandwidth>2423</bandwidth>
      </pipe>
      <queue>
         <descr>m_High Priority #1 Upload</descr>
         <targetpipe>0</targetpipe>
         <weight>50</weight>
      </queue>
      <queue>
         <descr>m_High Priority #2 Upload</descr>
         <targetpipe>0</targetpipe>
         <weight>30</weight>
      </queue>
      <queue>
         <descr>m_High Priority #3 Upload</descr>
         <targetpipe>0</targetpipe>
         <weight>15</weight>
      </queue>
      <queue>
         <descr>m_Bulk Upload</descr>
         <targetpipe>0</targetpipe>
         <weight>4</weight>
      </queue>
      <queue>
         <descr>m_Hated Upload</descr>
         <targetpipe>0</targetpipe>
         <weight>1</weight>
      </queue>
      <queue>
         <descr>m_Bulk Download</descr>
         <targetpipe>1</targetpipe>
         <weight>30</weight>
      </queue>
      <queue>
         <descr>m_Hated Download</descr>
         <targetpipe>1</targetpipe>
         <weight>10</weight>
      </queue>
      <queue>
         <descr>m_High Priority Download</descr>
         <targetpipe>1</targetpipe>
         <weight>60</weight>
      </queue>
      <rule>
         <descr>m_TCP ACK Upload</descr>
         <targetqueue>2</targetqueue>
         <interface>wan</interface>
         <direction>out</direction>
         <source>
            <any/>
         </source>
         <destination>
            <any/>
         </destination>
         <iplen>0-80</iplen>
         <protocol>tcp</protocol>
         <tcpflags>ack</tcpflags>
      </rule>
      <rule>
         <descr>m_Small Pkt Upload</descr>
         <targetqueue>0</targetqueue>
         <interface>wan</interface>
         <direction>out</direction>
         <source>
            <any/>
         </source>
         <destination>
            <any/>
         </destination>
         <iplen>0-100</iplen>
      </rule>
      <rule>
         <descr>m_Outbound DNS Query</descr>
         <targetqueue>0</targetqueue>
         <interface>wan</interface>
         <direction>out</direction>
         <source>
            <any/>
         </source>
         <destination>
            <any/>
            <port>53</port>
         </destination>
         <protocol>udp</protocol>
      </rule>
      <rule>
         <descr>m_AH Upload</descr>
         <targetqueue>0</targetqueue>
         <interface>wan</interface>
         <direction>out</direction>
         <source>
            <any/>
         </source>
         <destination>
            <any/>
         </destination>
         <protocol>ah</protocol>
      </rule>
      <rule>
         <descr>m_ESP Upload</descr>
         <targetqueue>0</targetqueue>
         <interface>wan</interface>
         <direction>out</direction>
         <source>
            <any/>
         </source>
         <destination>
            <any/>
         </destination>
         <protocol>esp</protocol>
      </rule>
      <rule>
         <descr>m_GRE Upload</descr>
         <targetqueue>0</targetqueue>
         <interface>wan</interface>
         <direction>out</direction>
         <source>
            <any/>
         </source>
         <destination>
            <any/>
         </destination>
         <protocol>gre</protocol>
      </rule>
      <rule>
         <descr>m_ICMP Upload</descr>
         <targetqueue>1</targetqueue>
         <interface>wan</interface>
         <direction>out</direction>
         <source>
            <any/>
         </source>
         <destination>
            <any/>
         </destination>
         <protocol>icmp</protocol>
      </rule>
      <rule>
         <descr>m_Catch-All Upload</descr>
         <targetqueue>3</targetqueue>
         <interface>wan</interface>
         <direction>out</direction>
         <source>
            <any/>
         </source>
         <destination>
            <any/>
         </destination>
      </rule>
      <rule>
         <descr>m_ICMP Download</descr>
         <targetqueue>7</targetqueue>
         <interface>wan</interface>
         <direction>in</direction>
         <source>
            <any/>
         </source>
         <destination>
            <any/>
         </destination>
         <protocol>icmp</protocol>
      </rule>
      <rule>
         <descr>m_Small Pkt Download</descr>
         <targetqueue>7</targetqueue>
         <interface>wan</interface>
         <direction>in</direction>
         <source>
            <any/>
         </source>
         <destination>
            <any/>
         </destination>
         <iplen>0-100</iplen>
      </rule>
      <rule>
         <descr>m_AH Download</descr>
         <targetqueue>7</targetqueue>
         <interface>wan</interface>
         <direction>in</direction>
         <source>
            <any/>
         </source>
         <destination>
            <any/>
         </destination>
         <protocol>ah</protocol>
      </rule>
      <rule>
         <descr>m_ESP Download</descr>
         <targetqueue>7</targetqueue>
         <interface>wan</interface>
         <direction>in</direction>
         <source>
            <any/>
         </source>
         <destination>
            <any/>
         </destination>
         <protocol>esp</protocol>
      </rule>
      <rule>
         <descr>m_GRE Download</descr>
         <targetqueue>7</targetqueue>
         <interface>wan</interface>
         <direction>in</direction>
         <source>
            <any/>
         </source>
         <destination>
            <any/>
         </destination>
         <protocol>gre</protocol>
      </rule>
      <rule>
         <descr>m_Catch-All Download</descr>
         <targetqueue>5</targetqueue>
         <interface>wan</interface>
         <direction>in</direction>
         <source>
            <any/>
         </source>
         <destination>
            <any/>
         </destination>
      </rule>
      <magic>
         <maxup>430</maxup>
         <maxdown>2550</maxdown>
      </magic>
   </shaper>
</m0n0wall>

   <nat>
      <rule>
         <protocol>tcp</protocol>
         <external-port>1-65535</external-port>
         <target>10.43.7.10</target>
         <local-port>1</local-port>
         <interface>wan</interface>
         <descr>All Ports to Orr Ranch</descr>
      </rule>
   </nat>

Try removing this inbound NAT rule. When the DynDNS client attempts to update, it'll establish a TCP connection from a random port between 49152 and 65535. The NAT rule, since it applies to all ports, then probably snatches the reply and tries to forward it to 10.43.7.10.

If it works without the NAT rule, consider adding inbound NAT rules only for the ports that you actually need (or at least leave out the 49152-65535 range).

Manuel,

Thank you for the solution -- It fixes the problem with DYNDNS!

Greg