Firewall/NAT

I'm still in learning mode for monowall, and I have it up and running except I can't get my web server to be seen by the Internet.

I have a WAN connection going to monowall, a LAN connection to a PC next to it. The web server is on OPT1. I have separate cards for each connection, so I thought all I need to do was set the IP address on OPT1 interface settings to my public IP address that I was using already on the server. I have a block of 5 static IP addresses from my ISP,  and I have the server was set up using the first one.

If I connect my WAN connection back on to my server (direct from the modem), everything works fine.  I followed all the instruction in the guide for setting monowall up, but I get confused over NAT's. From what I read in other posts, ,I couldn't figure out if that's what I was supposed to be using. I also set a rule that I think allows everything on OPT1. I know this sounds random, but it's late, I'm really tired, and frustrated. If anyone has any ideas, I will be happy to fill in any info I left out.

Thanks.

I would suggest you set things up something like this:

1. set your WAN port up to use your 1st Pubic IP
2. set your LAN port to 192.168.10.1
3. set your OPT1 port to 192.168.11.1
4. add a "web1" alias for your web server and point it to 192.168.11.20
5. set your web server's IP to 192.168.11.20
6. 1:1 NAT your 2nd Public IP to 192.168.11.20
7. add a WAN rule:  TCP  *  *  web1  HTTP
8. add a Default OPT1 to any rule
9.  add Proxy Arp entries for your 2nd, 3rd, 4th and 5th Public IP

CS...

Hi ChainSaw

You seem to be the answer person around here. I think I follow your suggestions, and I'm going to give them a try after I get back from work this weekend.
With this sort of setup, have you ever seen how someone adds a wireless router to the system? When I was doing the testing yesterday, the wireless route seemed to me a problem. I need to do some research on how to set it up so I can still get Internet access through it. All I know was every time I connected up the Lynksys router, the rest of the system went down. I did disable DHCP, but I know I had it set up wrong somehow.

yes but the question is are they the right answers 

sounds like you might have an IP conflict.  m0n0wall's default LAN IP is 192.168.1.1 and that is also a common IP for lots of wireless routers and other network devices (that is why I suggested you use 192.168.10.1 in step 2 above). make sure your wireless router's IP address is set to an unused LAN interface address.  I usually use 192.168.x.3 for my first access point.  also, don't connect anything to the WAN port and keep the DHCP server disabled.

CS...

I was thinking the same thing about the IP conflict. What's  frustrating is when I tried to change the default IP address using the Linksys interface, it actually wouldn't let me. I can set the static IP setting OK, but if I changed the network setup local IP address, it locks up and won't let me back in. If I have to, I'll contact Linksys tech support about that little problem.

I won't be able to try any of this till I get back from my weekend job, so I'll let you know Monday how much more I broke.

Thanks again. 

I would suggest you set things up something like this:

1. set your WAN port up to use your 1st Pubic IP
2. set your LAN port to 192.168.10.1
3. set your OPT1 port to 192.168.11.1
4. add a "web1" alias for your web server and point it to 192.168.11.20
5. set your web server's IP to 192.168.11.20
6. 1:1 NAT your 2nd Public IP to 192.168.11.20
7. add a WAN rule:  TCP  *  *  web1  HTTP
8. add a Default OPT1 to any rule
9.  add Proxy Arp entries for your 2nd, 3rd, 4th and 5th Public IP

CS...

Hi CS

Well - of course it didn't work. nothing is ever that easy. I was able to st my wireless router to a new internal IP address, so I'm leaving monowall at 192.168.1.1. The Linksys router is 192.168.10.1.

1. I set the WAN port to: Type=static;  IP address: 64.xxx.xxx.202/5;  Gateway: 64.xxx.xxx.1

2. LAN was left at 191.168.1.1

3. OPT1 port: Bridge:none;  IP: 192.168.11.1/24

4. added web1 alias type:Host; IP: 192.168.11.20

5. Skipped for now till I get the LAN back online.

6. 1:1 NAT(Wasn't sure about this part). Interface:WAN; external subnet: 64.xxx.xxx.203;  Internal subnet: 192.168.11.20

steps 7. and 8. I couldn't even find where to set "web1" and "HTTP"

9. I think I set it up right for the rest of my 5 IP addresses.

After all was set up, I can obviously get into the GUI for monowall with the local computer, but there is no Internet. I also can't connect to the server yet, but like I said, I want the LAN set up first, with Internet connections. Sorry if I'm being a problem, I just thought I would have an easer time with this.

Thanks

Do I also need to set up port forwarding on OPT1/web1?

if you setup your 1:1 NAT rule and Proxy ARP correctly, all you need to do is add a WAN pass rule for each port you want to allow to pass to your web1 server.

CS... 

I'm starting to think I need to look for an "Idiots Guide to Monowall" book or something.

I tried an experiment. My web server is currently set up using the first public IP address for itself and the nameserver. Of course that means the nameserver and the test web sites on it are registered pointing to that address (64.xxx.xxx.202). I wanted to see if I could get just the web server to connect through monowall, so I connected the WAN directly to the router, my LAN PC via a crossover cable , and my web server via a crossover cable. I can log onto the monowall interface just fine, and I have Internet connectivity on my LAN computer.

My understanding was all I needed to do was in monowall, tell the OPT1 interface to use the 64.xxx.xxx.202 address, and set a single rule for OPT1 allowing all. Since I'm not changing the IP address there should be no delay, and I should have been able to get to the test site on my server.

Of course I couldn't, so here I am again. I know I must be missing something simple and obvious, but I'm still too new at this to figure it out; and I hate being too new at this sort of thing.