Firewall/NAT

I am looking at the 1-to-1 NAT setup, and i assume that where i enter the WAN address i follow the instructions to enter the external (WAN) subnet for the 1:1 mapping by specifying a /32 subnet and putting in the external address of my choice. 

But, how do i limit it to ONE internal address that it maps to?  it seems to me that it maps that address to a whole internal subnet (from how its worded) instead of to one internal address?  Or does it really map it to that one internal address i want it to.

for example, if i want 132.456.789.123 to map to 10.1.0.6, what do i put in the box where it asks for the internal subnet.

Also, with this 1-to-1 it allows all traffic types to that address correct?

You need a second public IP to use 1:1, you can't 1:1 to your WAN IP.

As it says right there on that page, "You may map single IP addresses by specifying a /32 subnet."

Yes, you can forward any type of IP traffic when using 1:1.

I know what you are seeing with the subnet. All it is asking for is to know what your internal subnet is. It really is only natting to that 1 internal IP and remeber that you can't 1-to-1 NAT your WAN IP, you can only portforward your WAN IP. If you have a second public IP you can 1-to-1 that IP. You can also even use a combination of 1-to-1 NAT with portforwarding.

I have 5 public IP's to work with.

So, on the 1-1 nat, all i use for the subnet is the internal CIDR notation? My internal subnet is /24

So, if I am following this correctly.

Interface     External IP     Internal IP
WAN    xxx.xxx.xxx.xxx/32    xxx.xxx.xxx.xxx/32

or should it be

Interface     External IP     Internal IP
WAN    xxx.xxx.xxx.xxx/24    xxx.xxx.xxx.xxx/24

The second one would seem to imply that its NAT'ing that whole range due to the wording of the information in the firewall. 

Also, it might be a good idea to some how seperate the subnet masks for each part of the NAT connection, or make them appear different so that its less confusing....

My current firewall handles it like this

Private Range Start:  xxx.xxx.xxx.xxx
Public Range Start:    xxx.xxx.xxx.xxx
Range Length:    x

where the range length is essentially the subnet, but its asking it in a more logical fashion by essentially making it look like a list where they just match up.

You can't do a 1:1 NAT with a /24 unless you have the entire public /24. Since you don't, you need to do them individually and use a /32 for each IP.

Ok, so this is not quite working as intended.

I put in my external IP, which on their network is /29

My internal network is /24

But neither of those should matter, if i am following correctly.

i should still use /32 so that it just maps that one address, to the one address i want it to go to.

Right?

Correct. The CIDR notation in this case isn't the subnet mask, it specifies the address range. Since you need to use single addresses, it's /32.

Well, it looks like 1-1 just doesn't like me.  For whatever reason, it just will not work.   If someone could please look at my config file, and tell me whats wrong i would be much appricative.

<?xml version="1.0" ?> 
- <m0n0wall>
  <version>1.6</version> 
  <lastchange>1176383603</lastchange> 
- <system>
  <hostname>tcmvpn</hostname> 
  <domain>tcmwhf.office</domain> 
  <username>admin</username> 
  <password>$1$LNW5XyfV$9w.QUOFVLSGgbJ6/6F4eM0</password> 
  <timezone>Etc/GMT-5</timezone> 
  <time-update-interval>300</time-update-interval> 
  <timeservers>pool.ntp.org</timeservers> 
- <webgui>
  <protocol>http</protocol> 
  <port /> 
  <certificate /> 
  <private-key /> 
  </webgui>
  <polling /> 
  <dnsserver>216.68.4.10</dnsserver> 
  <dnsserver>216.68.5.10</dnsserver> 
  </system>
- <interfaces>
- <lan>
  <if>vr0</if> 
  <ipaddr>10.1.0.18</ipaddr> 
  <subnet>24</subnet> 
  <media /> 
  <mediaopt /> 
  </lan>
- <wan>
  <if>rl0</if> 
  <media /> 
  <mediaopt /> 
  <spoofmac /> 
  <mtu /> 
  <ipaddr>216.196.238.180</ipaddr> 
  <subnet>29</subnet> 
  <gateway>216.196.238.177</gateway> 
  </wan>
  </interfaces>
- <staticroutes>
- <route>
  <interface>lan</interface> 
  <network>10.3.0.0/24</network> 
  <gateway>10.1.0.2</gateway> 
  <descr /> 
  </route>
  </staticroutes>
  <pppoe /> 
  <pptp /> 
  <bigpond /> 
- <dyndns>
  <type>dyndns</type> 
  <username /> 
  <password /> 
  <host /> 
  <mx /> 
  <server /> 
  <port /> 
  </dyndns>
  <dnsupdate /> 
- <dhcpd>
- <lan>
- <range>
  <from>10.1.0.20</from> 
  <to>10.1.0.250</to> 
  </range>
  <defaultleasetime /> 
  <maxleasetime /> 
  </lan>
  </dhcpd>
- <pptpd>
  <mode>server</mode> 
  <redir /> 
  <localip>10.1.0.17</localip> 
  <remoteip>10.1.0.240</remoteip> 
- <radius>
  <server /> 
  <secret /> 
  </radius>
  <req128 /> 
- <user>
  <name>bweber</name> 
  <ip /> 
  <password></password> 
  </user>
  </pptpd>
- <dnsmasq>
  <enable /> 
  <regdhcp /> 
  </dnsmasq>
- <snmpd>
  <syslocation /> 
  <syscontact /> 
  <rocommunity>public</rocommunity> 
  </snmpd>
- <diag>
- <ipv6nat>
  <ipaddr /> 
  </ipv6nat>
  </diag>
  <bridge /> 
- <syslog>
  <reverse /> 
  <nentries>50</nentries> 
  <remoteserver /> 
  </syslog>
- <nat>
- <onetoone>
  <external>216.196.238.178</external> 
  <internal>10.1.0.6</internal> 
  <subnet>32</subnet> 
  <descr>Exchange</descr> 
  <interface>wan</interface> 
  </onetoone>
  </nat>
- <filter>
- <rule>
  <type>pass</type> 
  <interface>wan</interface> 
- <source>
  <any /> 
  </source>
- <destination>
  <address>10.1.0.6</address> 
  </destination>
  <descr>NAT</descr> 
  </rule>
- <rule>
  <type>block</type> 
  <interface>wan</interface> 
- <source>
  <any /> 
  </source>
- <destination>
  <any /> 
  </destination>
  <descr /> 
  </rule>
- <rule>
  <interface>wan</interface> 
  <protocol>tcp/udp</protocol> 
- <source>
  <any /> 
  </source>
- <destination>
  <address>10.1.0.6</address> 
  <port>80</port> 
  </destination>
  <descr>NAT Exchange Server</descr> 
  <disabled /> 
  </rule>
- <rule>
  <type>pass</type> 
  <interface>pptp</interface> 
- <source>
  <any /> 
  </source>
- <destination>
  <any /> 
  </destination>
  <frags /> 
  <descr /> 
  </rule>
- <rule>
  <type>pass</type> 
  <interface>lan</interface> 
- <source>
  <any /> 
  </source>
- <destination>
  <any /> 
  </destination>
  <descr /> 
  </rule>
  <tcpidletimeout /> 
  </filter>
  <shaper /> 
  <ipsec /> 
  <aliases /> 
- <proxyarp>
- <proxyarpnet>
  <interface>wan</interface> 
  <network>216.196.238.178/32</network> 
  <descr>NAT Exchange</descr> 
  </proxyarpnet>
  </proxyarp>
  <wol /> 
  </m0n0wall>

Looks like it's working fine. If I go to http://216.196.238.178 I get Outlook Web Access.
 

i had to revert to the sonicwall during buisness hours so that work can continue to flow, only time that the m0n0wall is up is after 5pm currently

Good new, its up and running.

Bad news. I don't understand why its actually working.

More info tomarrow, as well as a config file to look thru.

Probably an ARP cache somewhere since you're swapping back and forth between different hardware.

Probably an ARP cache somewhere since you're swapping back and forth between different hardware.

bear in mind when you just pull the sonicwall to replace it with the m0n0wall... the routers in your and / or isp would like that and it will take some time before all get to work. better is to power down the sonicwall and your isp router than replace the sonicwall with the m0n0wall and turn the isp router back on. this will clear your arp cache directly. or swap the firewall live and only reboot the isp router...

I would say that CMB is correct on ARP caching. Cisco switches are very natoris for this as well.

Looks like it's working fine. If I go to http://216.196.238.178 I get Outlook Web Access.
 

How do I set it up on my m0n0wall? I'm new on it, but I like to have the same as You!