Firewall/NAT

I have monowall between 2 internal networks and a WAN.

LAN  =  172.16.0.0
OPT1=  172.16.10.0

I need to be able to make requests for the webserver that sits at 172.16.10.2 from the entire 172.16.0.0 subnet.

I have tried for 3 hours to figure this out to no avail.  I have used other firewalls (MS ISA, FIREBOX) and they have worked....but I am just not getting it apparently.  I have routers on both sides (LAN, OPT1).

I have tried simple NAT, straight firewall rules, etc....but i am getting nowhere. 

When i set the rules for logging...i can see the requests that come from the LAN interface and the destination of those packets is correctly reporting the OPT1 interface....but i still get nothing from the LAN side as far as web server response.

I feel dumber than a post.  Help!

Kevin E

I have monowall between 2 internal networks and a WAN.

LAN  =  172.16.0.0
OPT1=  172.16.10.0

I need to be able to make requests for the webserver that sits at 172.16.10.2 from the entire 172.16.0.0 subnet.

I have tried for 3 hours to figure this out to no avail.  I have used other firewalls (MS ISA, FIREBOX) and they have worked....but I am just not getting it apparently.  I have routers on both sides (LAN, OPT1).

I have tried simple NAT, straight firewall rules, etc....but i am getting nowhere. 

When i set the rules for logging...i can see the requests that come from the LAN interface and the destination of those packets is correctly reporting the OPT1 interface....but i still get nothing from the LAN side as far as web server response.

I feel dumber than a post.  Help!

Kevin E

You need to connect a machine on LAN to another one on OPT1 right? You aren't talking about broadcast packets correct?  By default, your LAN firewall rule allows you to connect anywhere, but there is no default firewall for OPT1, so you'll have to create a "allow all" rule for OPT1 before the two can talk with each other. Have you done that already?

I had tried several different combinations and then in my final frustrated attempt....I set a rule for the LAN interface that was Allow ALL and I set a rule on the OPT1 interface that was Allow All.  This set up still didnt work.  I then left both Allow ALL rules on and added a NAT mapping that directed any port 80 request from the 172.16.0.0 interface (LAN) to 172.16.10.2 (the web server on the OPT1 network) and still no joy.


i took the monowall firewall out of the middle and placed a firebox that i have in place, and set a firewall rule to allow port 80 from the 172.16.0.0 to 172.16.10.0 and magically everything worked.

signed,
this shouldnt be this hard.

I had tried several different combinations and then in my final frustrated attempt....I set a rule for the LAN interface that was Allow ALL and I set a rule on the OPT1 interface that was Allow All.  This set up still didnt work.  I then left both Allow ALL rules on and added a NAT mapping that directed any port 80 request from the 172.16.0.0 interface (LAN) to 172.16.10.2 (the web server on the OPT1 network) and still no joy.


i took the monowall firewall out of the middle and placed a firebox that i have in place, and set a firewall rule to allow port 80 from the 172.16.0.0 to 172.16.10.0 and magically everything worked.

signed,
this shouldnt be this hard.

I agree, I have a setup almost like this and the default "allow all" rules on both the LAN and OPT1 allowed communications between the two without any issues. I guess you can't even ping between those two LAN networks also?

In these cases, it's down to troubleshooting by simplification of hardware. You have two networks, both on separate switches, all work fine by themself, but when trying to get the two to talk to each other, nothing works.

The only variable is m0n0wall since the other router you put in between works without any issues. First, I've attached a screenshot of mine, so minus the part that the IP range is different, basically your config is very similar to this right in that OPT1 is not bridged, and the LAN and OPT1 firewall rules are the "allow all" type?

yes....with the exception of differing subnets....it is exactly the same.

yes....with the exception of differing subnets....it is exactly the same.

Are you using DHCP on both of those? Or are you using your own DHCP server and not the one built-in to m0n0wall?

I have the same setup and the same frustration. The only thing I can think of is that monowall does not like non-routable subnets on OPT1. I don't have a routable one to try however. I also see that several other users are having this same problem (search for OPT1) the problems are each a little different, but I believe this thread covers the root cause.

What is your subnet mask for the different subnets? Are you using a class C mask (24bit) with these class B addresses?

The OPT1 interface is 10.16.143.128/26, but the LAN1 is 192.168.1.0/24 I'm happy to provide remote access if anyone would like to see for themselves.

I would like to figure out the key difference though, if m0n0wall doesn't like non-routable subnets, then mine shouldn't be work either.

I do know for example, that windows xp built in firewall only allows packets on the same scope range to be received (such as 192.168.0.X) and if you had a OPT1 in which it was a 192.168.2.X/24 Range, you have to be sure to update your XP firewall rules for these two networks to work (machine wise). I think the OS and setup of the machines is important as well. Just to rule out as much as we can.

I dont know about your problems here, just thought I'd ask if you're supposed to be able to have two different RFC1918 subnets on the LAN and OPT1, having both of them work with Port Address Translation and NAT forwarding?
Or does it get "too much" in some way when there are two different nets on two interfaces that use PAT at the same time?

Anyway, seems to be troublesome for some guys in here....maybe I should have gotten a 2-port machine instead if the 3 NIC solution is useless....

The OPT1 interface is 10.16.143.128/26, but the LAN1 is 192.168.1.0/24 I'm happy to provide remote access if anyone would like to see for themselves.

Ok, I see where our setups differ here then. The /26 is the 255.255.255.192 subnet.  It might be that the different subnets won't talk to each other, have you tried just setting OPT1 to /24 subnet just to see if that solves the issue? Then set it back to /26 and see if the issue comes back?