Firewall/NAT

Hi folks,

I know, it has been re-iterated a couple of times, but I seem to be running into the same or at least very similar problem as this guy called Russel (see http://forum.m0n0.ch/index.php/topic,241.0.html) and - just like that thread - my questions seem to be unanswered.

My current setup is really simple: I have a net4501 with M0n0wall version 1.233 setup and LAN can flawlessly access WAN/Internet. My problem occurs, when it comes to setting up additional WAN addresses and Server NAT. I have a couple of servers in my LAN whose HTTPS port I want to be forwarded.

I own 5 external IP addresses, XXX.XXX.XXX.98-XXX.XXX.XXX.102 and I did setup M0n0wall to have its WAN interface on XXX.XXX.XXX.98. WAN subnet is 255.255.255.0 and gateway XXX.XXX.XXX.1

Internally, I have two servers: 192.168.0.254 and 192.168.0.251. I want to forward as following:
XXX.XXX.XXX.98:22 -> 192.168.0.254:22
XXX.XXX.XXX.99:443 -> 192.168.0.251:443

Now, since the first entry redirects from the WAN interface, this already works perfectly. I set up the NAT entry and added an appropriate firewall rule and I can access the SSH port from the internet. So, in my opinion, this proves that the forwarding itself seems to be working quite fine.

The problem lies in the Server NAT from XXX.XXX.XXX.99 to 192.168.0.251. I added a Server NAT entry for the XXX.XXX.XXX.99 address and additionally added a Proxy ARP entry (even though my ISP setup routes that address to my subnet anyway) but when I try to access https://XXX.XXX.XXX.99/ from some outside system, I get a timeout and there's nothing on the firewall log.

To diagnose the issue I tried a couple of things:
1. First of all I wanted to know if it works at all: I set up a notebook with address XXX.XXX.XXX.102, put it onto the network in front of the M0n0wall and tried to access https://XXX.XXX.XXX.99/
Funny enough - that worked perfectly!
2. Next, I added a firewall rule that accepted ICMP on WAN (+alias IPs). I went back to my test machine and run a ping XXX.XXX.XXX.99; I did get a reply, but it said nexthop: XXX.XXX.XXX.98
So my host got the message to talk to my WAN address instead of the 99-alias. To get rid of this, I manually added an IP alias via /exec.php

ifconfig sis1 inet XXX.XXX.XXX.99 netmask 255.255.255.255 broadcast XXX.XXX.XXX.255 alias

Now, my ping worked perfectly.
3. With my ICMP ping obviously working on the same subnet, I tried a traceroute from an external server on either XXX.XXX.XXX.98 or XXX.XXX.XXX.99; however, neither of them worked. They both just timed out.

4. Oh, and last but not least - I even tried to run the latest beta of M0n0wall. That also didn't produce any resolution.

I'm on a Verizon DSL line and my DSL modem is set up to act as a bridge - my gateway is therefore inaccessible to me.
Additionally, I don't think that any ARP cache on my gateway is the issue here, because my regular internet connection from the WAN address XXX.XXX.XXX.98 does work fine and even port forwarding on that address works.

Does anyone have any idea what I can do to fix this? If you need any more information, just let me know.

I attached screenshots for my NAT entry and Firewall rule.

thanks in advance
chris

[was]

Okay, I just solved it myself... lol

Well, it turns out, it really was the ARP cache on my gateway. I changed my WAN MAC address to the MAC address of my previous firewall and la voila: it works!!!

So, in case you ever encounter that same problem after replacing a firewall with M0n0wall: set your MAC address on WAN to the MAC address of your previous firewall.

chris