Firewall/NAT

I'm having a problem were m0n0wall (latest beta) is blocking packets (according to the firewally logs) even though they shouldn't be blocked. My setup is quite simple - I have three interfaces on our firewall:

1. WAN interface that connects to a DSL router.
2. LAN interface that is natted
3. DMZ interface that is natted

There is also an IPSec tunnel, but that shouldn't affect anything.

Everything works fine for computers connected to the LAN interface, but computers on the DMZ interface are having problems accessing certain web pages, in particular some HTTPS pages and pages that stream video.

What I noticed is that when I, for example, connect to a banking web page, the firewall rule log will show a "Denied" entry for the computer connecting to port 443 on the banking server, even though there is no rule blocking traffic to the server.

The only rules that I setup are to prevent the wireless interface from reaching the LAN interface and another one that prevents it from reaching the network behind the IPSec tunnel.

Now, there is another wireless router (Linksys with NAT) connected to the DMZ interface, but I have been able to reproduce the problem by directly connecting the computer(s) to the wireless interface, not using the Linksys. Geez, I hope all this makes sense.

In a nutshell: Even though LAN and DMZ are almost configured identically, there are random problems with computers on the DMZ interface. In particular I see firewall logs that show blocked packets that shouldn't be blocked since there is no rule to block them.

Does anybody have other ideas to troubleshoot this strange problem? Can I see which firewall rule blocked a packet and why?

I'm 99% sure it has to do with the DMZ interface. When I had the Linksys router connected to the LAN interface everything worked well. However, I had to change this since I didn't want hosts on the Linksys connect to the network behind the tunnel (I tried to create rules but those for whatever reason also didn't work).


Thanks,
Ingmar.

If your connection is PPPoE and you have computers that have their NIC's MTU set to 1500 (the default for ethernet) there can be connectivity problems. Lower MTU to 1492 and try again. You may have to lower it further, but start there.

You don't need rules to be in place to block packets. You need rules in place to allow packets in unless these packets are in response to a connection you initiated.

The state tables keep track of connections and allow packets back in that are such responses. Sometimes these packets come back late, after the state table entry for them has expired. If so, they will be blocked because they appear to be unsolicited.

Thanks Fred.

The connection is PPPoE, but the DSL modem does that - not the monowall. The strange thing is that everything works well from the LAN interface, but all the devices that are attached to the DMZ interface are having intermediate problems.

Thanks for the explanation in regards to the states - I suppose it's possible then that packets are being blocked because of timing issues.

Now, I still tried to change the MTU to something lower, but I don't have any options anywhere to change the MTU. I looked at some screenshots in the documentation, but there is just no MTU field under the MAC address.

I just don't understand why the DMZ interface, that is configured just like the LAN interface, is having issues.


Thanks!

The MTU needs to be proper on the individual computers themselves. It can be the same or higher on the m0n0wall interfaces, so just leave those alone.

Is there some reason why you aren't letting m0n0wall do the PPPoE, with your DSL modem/router set to bridging mode?

Thanks for your suggestions.

No particular reason. The DSL modem was configured that way and I just left it alone - it didn't actually occur to me to change it since everything worked. Well, until I tried using the 3rd interface.

Ah, changing the MTU on the computers themselves? I didn't think about that. I will try that.

I'm still puzzled as to why ComputerA works when connected to the LAN interface, but not when connected to the DMZ interface? Are there configuration differences between the two? Nothing seems to show up in the web interface ... ?