Firewall/NAT

Hi all

I'm pre-investigating a switch from an old analog PBX to an IP-PBX and I need a firewall which can perform traffic shaping between my servers (services).

Basically I want to accomplish this:

(http://forum.m0n0.ch/index.php?action=dlattach;topic=2126.0;attach=199;image)

I have a 5/5 mbit FDDI and today i just swich this connection and use 3 gateways with three different public IP's. Adding an IP-PBX to the switch is not a good idea since there will be no traffic shaping between the the IP-PBX and the gateways...

I have installed m0n0wall on a WRAP2e and connected the LAN interface to a switch like this:
(http://forum.m0n0.ch/index.php?action=dlattach;topic=2126.0;attach=201;image)

I have set up 1:1 NAT according to the picture above and I have connected my laptop to GW2 and whatsmyip.org tells me I'm on xxx.xxx.128.74, 1:1 NAT seems to work.

I did put up a Web-server behind GW2 and doing port forwarding (in GW2) on port 80 to this server. Added  firewalls rules in m0n0wall to accept HTTP from any WAN IP to network 192.168.1.0 like this:
(http://forum.m0n0.ch/index.php?action=dlattach;topic=2126.0;attach=203;image)

Sadly this does not work and no traffic seems to get through from WAN to my 1:1 NAT servers, and there is nothing in the logs about any HTTP traffic getting blocked. I have tried different combination of rules, including accept HTTP from any WAN IP to host xxx.xxx.128.74, and accept ANY protocol from any WAN IP to Lan subnet. I have also tried to put my Web-server (assigned to IP 192.168.1.3) directly behind m0n0wall.

I have also tried Server NAT and port forwarding xxx.xxx.128.74:80 to 192.168.1.3 with auto created rules, but still no luck.
I am honestly confused and in need of som expertise help.
Thanks in advance for any help
/Nicklas

You have the following rule:

TCP/UDP  *  * 192.168.1.0/31  80 (HTTP)   1:1 webservices



What is this Destination: 192.168.1.0/31  ?

I don't see how that can possibly work.

Doesn't it mean: accept any HTTP request from any source to any host on network 192.168.1.1 - 192.168.1.254 ?

I have also tried:

TCP/UDP  *  * 192.168.1.3  80 (HTTP)   1:1 webservices and
TCP/UDP  *  * xxx.xxx.128.74  80 (HTTP)   1:1 webservices

Have you got any suggestions for how to make this work?

/Nicklas

I've done some further investigations.

I have tried basic inbound NAT with latest stable release and latest beta release, and it simply does not work. I have ruled out any ISP blocking port 80 problems, by using another SOHO Gateway with the same pulic IP and port forwarding to the webserver.

This is a m0n0wall problem.
It might work with other configurations but not when public IP is a static xxx.xxx.xxx.xxx/29 address and with inbound NAT to port 80.

Another question.

When you test any of this, are you testing from a machine behind the m0n0wall, or are you trying from a machine out on the internet?

From the internet, since I herad there are limitations when accessing the servers from within LAN.

192.168.1.1 - 192.168.1.254 is 192.168.1.0/24 NOT /31

The basic configuration you are attempting is being done by some unknowable large number of others, and there aren't fundamental bugs in m0n0wall preventing it from working.

It's probably time for you to post your entire configuration file. Someone will spot what is missing/incorrect.

If you haven't read thru the m0n0wall handbook yet, you might want to.

I know that simple port forwarding is a very basic configuration, that's why this is so frustrating.

I haven't read every page in the handbook, but some parts of it along with a review at Smallnetbuilder: http://www.smallnetbuilder.com/content/view/24689/51/

I have encountered exact the same problem with pfsense which is based upon m0n0wall. I'm at home know were I've got a DSL connection with dynamic IP, so I reconfigured the WAN interface to use DHCP and now, the same port forwarding rules works.

It must have something to to with the WAN configuration since port forwarding works when WAN is configured with DHCP but not when WAN is configured with a static address.

I guess I must have missed something out, as you say, this setup is far from unique.
My exact setup is:

                                                                                    /------GW1(public IP xx.xxx.128.74)
                                                                                   /
[FDDI-to-ethernet converter] - [unmanaged switch]----------GW2(public IP xx.xxx.128.75)
                                                                                  \
                                                                                    \-------GW3(public IP xx.xxx.128.78)
                                                                                      \
                                                                                        \___m0n0wall(public IP xx.xxx.128.77)
                                                                                                                 |
                                                                                                                 |
                                                                                                         webserver   

From my ISP 've got the range from xx.xxx.128.74 to xx.xxx.128.78 and the subnetmask 255.255.255.248

With CIDR notation this would be setting WAN to xx.xxx.128.77/29, right?

/Nicklas

255.255.255.248 is /29

Have a look in the handbook at the multiple IP stuff.

http://doc.m0n0.ch/handbook-single/#FAQ.IpAlias

I'm certain the answer is there.

I'm down to getting inbound NAT with single IP to work right now, if this does not work there is no point in trying to get multiple IP and 1:1 to work. The handbook chapter 6.2 is pretty clear about haw inbound NAT works, I followed it and it does not.

I am not alone having this problem, see this thread, it is exactly the same issue: http://forum.m0n0.ch/index.php/topic,2008.0.html

/Nicklas

I would recommend using Pfsense instead. I've got everything working with latest stable release of Pfsense.