Firewall/NAT

I have added a third interface card (ethernet) to a m0n0wall server, and would like to connect a wifi gateway router through it.  The original setup was:

WAN <--- > m0n0wall <----> LAN

I have some port forwarding set up to allow RDP access from the internet, as well as SMTP and some HTTP/HTTPS service on the LAN.  The third interface is meant to allow user on a Freifunk Community Mesh network to have an internet gateway as follows:

WAN <--- > m0n0wall <----> LAN
                         ^
                         +------------> WIFI

I changed the OPT1 default name to WIFI.

The wifi interface is 10.10.10.1/30 and the wifi router (A linksys WRT54GL flashed with Freifunk) uses 10.10.10.2/30 on it's ethernet gateway side.  ICMP Packets from Freifunk are accepted by the m0n0wall as per the log.  I have blocked NetBIOS ports and access to the LAN address vir the WIFI interface, but allow all other traffic to all other destinations.

The problem is that I get the following error:
/kernel: arplookup 10.10.10.2 failed: host is not on local network

Now 10.10.10.2 is on the local network by virtue of 10.10.10.1 being the interface it connects via.
The arp table don't show 10.10.10.1 or 10.10.10.2 though.

I have spent eons of fruitless hours asking google, reading m0n0wall FAQ's and documentation, but something is eluding my attention.  I have found mention of a static route that has be added, but no matter  what route I add,
a) the error does not go away, and
b) the Freifunk network relies on a persistent ping, which fails to return to the sending interface it seems and so there is no inter access from the WIFI network.

What is wrong / what do I need to do the get this to work?

O, and I'm running on version 1.2 at the moment.


Thanks all!

O, I forgot to say that I am running version 1.2

Just rereading my post, I realise it may be confusing, so allow me to clarify: I renamed the third interface from OPT1 to WIFI

more detail after more testing:

M0n0wall says the interface is up

WIFI interface
Status up 
MAC address 00:15:e9:b0:2e:3d 
IP address 10.10.10.1   
Subnet mask 255.255.255.252 
Media 100baseTX <full-duplex> 
In/out packets 13878/6501 (1.15 MB/393 KB) 
In/out errors 0/0 
Collisions 0 

But I cannot ping either 10.10.10.1 or 10.10.10.2 from m0n0wall.  Surely that should be possible?

I receive pings from that interface:

  21:56:25.833742 WIFI 10.10.10.2 196.35.140.58, type echo/0 ICMP

but like I said before, they are not returned to the orginator.

Please help.  If there's anything more that's needed in terms of settings or configs, please ask and I will send it.

What is 10.10.10.2? What networks are off of this WIFI interface? You'll need static routes for whatever networks are on the WIFI interface.

What is 10.10.10.2? What networks are off of this WIFI interface? You'll need static routes for whatever networks are on the WIFI interface.

10.10.10.2 it the WAN port of the Linksys WRT54GL (the other end of the connection to WIFI).  In other words the WIFI interface is 10.10.10.1 and at the other end of the cable (so to speak) is 10.10.10.2.

I have read about the requirement for a static route before, but I can't figure out how to add it correctly.  Firstly, since I use DHCP to assign the network address for the Linksys, it should sort the routes out by itself, not so? 

Assuming that for some reason DHCP doesn't create the routes, then the following are required in the GUI setup:

Interface  WIFI
Destination network 10.10.1.0/24
Gateway  10.10.10.1

[Internet] <-------> WAN[monowall]|WIFI               | <--------> |WAN               |[Linksys]|Wiireless      |
                                                        |10.10.10.1/30|                 |10.10.10.2/30|              |10.10.1.1/24| ...

So I have now added a static route as follows:
Interface Network Gateway Description 
WIFI  10.10.1.0/24  10.10.10.1  Wifi network   

Is that all that is required?  Do I also need to set a static route for every other possible network on the Wifi connection?  I understand that if the addresses are NAT'ed (for example the addresses of wireless clients connecting to the wireless mesh are 192.168.x.x addresses) then I don't need a static route to them since the NAT translates the addresses.  Is that right?  The default gateway on my wifi network is 10.10.1.1, so as long as there's a static route from monowall via the WIFI port to that address, it should work?  Please correct me if I'm wrong.

I would think that making this a pertinent point in the FAQ or even the manual, would be really helpful.  It may be so obvious to those seasoned netops that use M0n0wall, but it's not obvious at all to people that set these things up occasionally and then battle for days with strange behaviours.

10.10.10.2 it the WAN port of the Linksys WRT54GL (the other end of the connection to WIFI). 

Ok, then the reason you can't ping that is probably because the Linksys drops pings to its WAN by default.

I have read about the requirement for a static route before, but I can't figure out how to add it correctly.  Firstly, since I use DHCP to assign the network address for the Linksys, it should sort the routes out by itself, not so? 

For any directly attached networks, static routes aren't needed. m0n0wall won't be handing out IP's that are off of any directly attached interface. The networks you show coming in on your WIFI interface are on another subnet - your firewall needs to know how to return that traffic. Without the routes, the firewall has to assume they're reachable via your WAN interface since that's where the default gateway is.

Interface  WIFI
Destination network 10.10.1.0/24
Gateway  10.10.10.1

Not quite - should be gateway 10.10.10.2, since that network is behind the Linksys.

Do I also need to set a static route for every other possible network on the Wifi connection? 

Yes.

I understand that if the addresses are NAT'ed (for example the addresses of wireless clients connecting to the wireless mesh are 192.168.x.x addresses) then I don't need a static route to them since the NAT translates the addresses.  Is that right? 

Only as long as those IP's are NAT'ed to something that m0n0wall knows is reachable via your Linksys. If your Linksys would NAT everything to its WAN IP, you wouldn't need any static routes. Double NAT'ing isn't pretty, but it may be easier for you and work equally well in this situation.

The default gateway on my wifi network is 10.10.1.1, so as long as there's a static route from monowall via the WIFI port to that address, it should work?  Please correct me if I'm wrong.

There needs to be a static route like the one above (correcting the gateway as I said) for every network reachable through the WIFI interface.

I would think that making this a pertinent point in the FAQ or even the manual, would be really helpful.  It may be so obvious to those seasoned netops that use M0n0wall, but it's not obvious at all to people that set these things up occasionally and then battle for days with strange behaviours.

It's not "strange behavior" at all, it's how IP routing works with any firewall, router, or other network device - network devices need routes to connect to anything not on a directly connected interface if that network isn't reachable through the default gateway. It should indeed be covered in the documentation, I just haven't had time to do so and essentially nobody else contributes documentation. You're welcome to start a page about static routes on the wiki at http://wiki.m0n0.ch and it'll make its way into the documentation.

I would think that making this a pertinent point in the FAQ or even the manual, would be really helpful.  It may be so obvious to those seasoned netops that use M0n0wall, but it's not obvious at all to people that set these things up occasionally and then battle for days with strange behaviours.

It's not "strange behavior" at all, it's how IP routing works with any firewall, router, or other network device - network devices need routes to connect to anything not on a directly connected interface if that network isn't reachable through the default gateway. It should indeed be covered in the documentation, I just haven't had time to do so and essentially nobody else contributes documentation. You're welcome to start a page about static routes on the wiki at http://wiki.m0n0.ch and it'll make its way into the documentation.

Thanks for the explaination, Chris.  I understand that I need to have a route to the "other networks" that are reachable via the linksys.  What I don't quite understand however, is why the arp error appeared in the logs before I added that route.  Surely the 10.10.10.1 address is local on the firewall and the arp talbe should "pick it up" automatically.  After all, I created the interface and assigned that address.  Is this a BSD behaviour, since I'm quite sure that Linux and Windows will create an arp entry for an interface in this situation. 

Thanks again.  I will also create a wifi page for this issue as you suggested.

What I don't quite understand however, is why the arp error appeared in the logs before I added that route.  Surely the 10.10.10.1 address is local on the firewall and the arp talbe should "pick it up" automatically.  After all, I created the interface and assigned that address.  Is this a BSD behaviour, since I'm quite sure that Linux and Windows will create an arp entry for an interface in this situation. 

As will FreeBSD, otherwise networking wouldn't work. If it logged that complaint (Windows and Linux see the same thing, they just ignore network issues rather than inform you of them), then it must have seen that ARP for 10.10.10.2 on another interface, not the one that had the 10.10.10.1 IP assigned (or maybe before you assigned the 10.10.10.1 IP, or maybe you had a wrong subnet mask on that interface originally). Why or how? I don't know, too many variables specific to how you tried to configure things and how you set things up. That message is unrelated to the rest of the thread though. Adding the route didn't make that message not show up anymore, if you still had ARP traffic on an interface that was not on the subnet of the specified interface, you'd still be seeing logs regardless of any static routes.

Ok, I understand what you're saying.  I fixed a few things at the time, and one of them was adding the static route.  As you say, I might have had the netmask wrong, or something else.  The good thing is that it is now working and that I learned (maybe refreshed my memory) some things that I will document soon, so I don't have to learn them again at a later stage! 

Thanks for the help.