Firewall/NAT

I am trying to punch a hole in m0n0 for a program called Psiphon ( http://psiphon.ca/ ).

It uses a standard https port (443).

It is basically a privet proxy that allows trusted users use your internet connection to bypass any filtering their countries (or anyone else) puts up. It serves a web page on port 443 with integrated browser where you can surf away unrestricted under [my] IP address.

Basically it works like this:

I set up server, punch the right holes through the firewall and set up user account and password.

User opened up their browser goes to the link of my page (https://my[public].ipa.ddr.ess:443/nameofmyserver/) and login. after they log in they find that they have another address bar with in their own browser (browser within a browser) and use my connection to browse the net.


Okay so for past month I have been trying to figure out where the problem lies. I narrowed it down to somewhere between my dsl modem (SpeedStream 4100) and my m0nowall box inclusively.

When I unplug the m0no box and plug psiphon box straight to the modem everything works like a charm, but when I try to plug the mono back in and punch the holes in it it breaks the psiphon connection: I can not access psiphon link (https://my[public].ipa.ddr.ess:443/nameofmyserver/)  from inside of my network and users from the outside can not get access to it ether.

I tried changing the way my modem functions: changing the IP address it serves my network from privet (192.168.0.1) to public (my ISP address) and back again to no avail.

I have been able to let other apps get access to the net by making NAT/firewall rules, but the darn psiphon prog just does not like the settings I guess...


This seems like such a simple task, but it hurts to even remember how many hours of work I have put in to getting it to work in the past month.

Please help me out with any possible advice.

You have not stated how you have your NAT and firewall rule set up for this. It's just not possible to help you without this information.

Also, changing the ports m0n0wall uses for its GUI may be required if they conflict with the port or ports your server is using.

And you will not be able to reach any LAN server from the LAN using https://my[public].ipa.ddr.ess:443/nameofmyserver. See the note at the bottom of the Firewall: NAT: Inbound page.

Sorry about that. Here is the information:

(Please note that I have moved on from port 443 to 28804)

My network:


DSL_Modem--->m0n0wall--->Switch_1--->Switch_2--->Psiphon_PC

DSL_Modem = SpeedStream 4100 .53 firmware
port = [public IP]

m0n0wall
WAN port = [public IP]
LAN port = 192.168.42.1/24


Switch_1 = DLINK FLEX 10/100
[operating as dumb switch]

Switch_2 = Cisco 2948G
[operating as dumb switch]

Psiphon_PC [Windows XP]
192.168.42.253/24


Firewall: NAT: Inbound

If         Proto     Ext. port range     NAT IP     Int. port range     Description     
WAN      TCP/UDP      28804      192.168.42.253      28804      psi


Firewall: NAT: Outbound

Interface     Source     Destination     Target     Description     
WAN    192.168.42.0/24    *    192.168.0.1    psi allow
I added the rule above to see if it would make the difference... It did not.


Firewall: Rules: WAN

 Proto     Source     Port     Destination     Port     Description
 *     RFC 1918 networks     *     *     *     Block private networks [DISABLED TO ALLOW PRIVET NETWORKS]
TCP      *      28804      192.168.42.253      28804      psi allow

*    *    *    *    *    all traffic allow




Firewall: Rules: LAN
Proto     Source     Port     Destination     Port     Description

*      *      *      *      *      all traffic allow

Numerous potential problems here.

Your m0n0wall WAN is running on a private IP network. You must make allowances for this as this is blocked by default. See the bottom of the page: Interfaces: WAN

Your m0n0wall LAN interface is in the 192.168.41.0 network. But your Psiphon_PC  is in the 192.168.42.0 network. This can not work because m0n0wall does not know how to route traffic to networks it does not have an interface for or static routes defined for. Also, whenever citing IP addresses, you really need to cite the netmasks being used with them because making assumptions about them is bad practice.

I think it would be best at this point if you reviewed the available documentation for m0n0wall, particularly the Handbook sections that cover the basics of IP networking, setting up the interfaces, and placing servers on networks.

Following have been changed:


1)

Typo fixed in the above post: 192.168.41.2 changed to 192.168.42.1


2)

Modem IP changed to public


3)

Made provisions to allow privet networks anyway


4)
Added netmask info to above post

Users from the outside still can not access the Psiphon server.
I still am not able to access the Psiphon server (but I understand why).