General Questions

Hello,

In continuation of an issue one of my clients has been having, I am trying to get two different subnets to get routed to one another.

First I tried to do it by setting up out monowall with an OPT1 port with an address on the second subnet, but I could not get traffic to move between the two subnets.  Then I tried disabling that interface and instead set up a second monowall with it's WAN port on the first subnet, its LAN on the second subnet.  In both attempts I set the firewall rules to pass all traffic between the two interfaces.

Still, no dice.  For anyone who has gotten this to work in the past, what needs to be done?  Static routes, perhaps?

Can you supply a network diagram, also what default gateways the clients have.

I've attached a crude diagram.  The default gateway for all clients is the 10.100.100.6 monowall.

OK that makes it clearer.
The main Mono box will require a static route to 10.100.102.0/24 with a gateway of 10.100.100.5.  You will also have to check the box, in the advances section to bypass rules for traffic on the same interface.
(http://i232.photobucket.com/albums/ee216/markbarl/ScreenShot024.jpg)
I assume that you have enabled Advanced NAT on the second monowall to remove all automatic NAT rules.

Diagram looks good, but you need to make sure this is turned off (picture attached). You'll find this if you go to the "Interfaces" and then click "WAN" for the machine with the WAN ip of 10.100.100.5

OK that makes it clearer.
The main Mono box will require a static route to 10.100.102.0/24 with a gateway of 10.100.100.5.  You will also have to check the box, in the advances section to bypass rules for traffic on the same interface.
(http://i232.photobucket.com/albums/ee216/markbarl/ScreenShot024.jpg)
I assume that you have enabled Advanced NAT on the second monowall to remove all automatic NAT rules.

Going by his diagram, he's not routing packets in and out of the same interface, so that setting shouldn't be necessary?

I assume that you have enabled Advanced NAT on the second monowall to remove all automatic NAT rules.

No, I have not, and my experience with it is extremely limited.  I imagine you are talking about "Advanced outbound NAT"?  If so, what settings will I need to use?

I've already made sure that the block private networks was not checked, which I had to do anyway to allow me to access the webgui through the WAN address.  I ticked the Bypass firewall rules box, though I wouldn't seem to have similar traffic going through the same interfaces I figured it cant hurt.

Also, it bears mentioning that while the PCs all have gateways of 10.100.100.6, I do not know what the phone system has as a gateway.  To pass traffic through, do I need to ensure that the phone system uses the internal address of the second monowall as it's gateway?

You need to actually make sure NAT is turned off for the second m0n0wall box because it's not necessary to translate one address to the same address.  Your diagram is good though, I've built a test network using your diagram and didn't have to do anything beyond making sure NAT is off and that the private network option for the WAN is disabled.

[WAN]

I must not be doing something correctly, I still cannot get any traffic through.

The primary monowall settings:
WAN: (Public IP)
LAN: 10.100.100.6 /24
Static Route: LAN  10.100.102.0 /24  10.100.100.5
LAN Firewall Rule: *  *  *  *  *  Allow All

The secondary monowall settings:
WAN: 10.100.100.5 /24
LAN: 10.100.102.2 /24
NAT > Outbound > "Enable advanced outbound NAT": Checked, but left nothing defined on the page.
WAN Firewall Rule: *  *  *  *  *  Allow All
LAN Firewall Rule: *  *  *  *  *  Allow All

When attempting to ping to 10.100.102.10 from 10.100.100.11 the request times out.

The LAN interface on the secondary monowall can ping 10.100.102.10 just fine.

Trace route to 10.100.102.10 from 10.100.100.11 consistantly acts strangely:

Code:

C:\Documents and Settings\administrator>tracert 10.100.102.10
Tracing route to 10.100.102.10 over a maximum of 30 hops

  1     *        *        *     Request timed out.
  2    <1 ms    <1 ms    <1 ms  10.100.100.5
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.

C:\Documents and Settings\administrator>tracert 10.100.102.10
Tracing route to 10.100.102.10 over a maximum of 30 hops
  1     *        *        *     Request timed out.
  2    <1 ms    <1 ms    <1 ms  10.100.100.5
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.

Any thoughts or suggestions on what to do next?  Also, it is worth noting that the diagram above is a logical diagram, not a physical one.  In actuality all of the computers plug into the phones, which then plug into the switches.  However, the PCs are all on the 10.100.100.X subnet, while the phones are all on the 10.100.102.X subnet.  In this way, everything all plugs directly into the bank of switches.

Both the LAN and the WAN ports of the secondary monowall both plug into the bank of switches as well.

Both the LAN and the WAN ports of the secondary monowall both plug into the bank of switches as well.

Ok, I think that might be the problem. I was assuming that the second m0n0wall was in "front" of that switch. I thought the second m0n0wall WAN was connected to the switch and the LAN was connected to the phone (or PC, another switch, etc).

If you have both LAN and WAN ports of m0n0wall plugged into the same switch that also has the LAN side of the first m0n0wall networked with it, then the phones won't be able to route through that different subnet because they are technically on the same physical layer and the other machines just ignore them.

Kind of like having a room full of people speaking english, then a group of people come in and start talking in burmese trying to communiate with the english people, both groups look at each other funny because neither understands what the other is saying. But the groups can communicate with each other (ping), just not with the other group because the "translator" guy (or in this case, the gateway machine) is out on a lunch break somewhere.

To remedy, you need only the second m0n0wall WAN connected to the switch, the second m0n0wall LAN needs to be the one connected to the phones because it's the gateway that is going to merge the two different networks together so that the phones can communicate with the PC and vice versa, etc.

Now I know someone is going to chime in and say "why not just communicate in/out of the same interface, since it has an option to enable that" for which I answer that sometimes that doesn't work due to the way a switch routing table tries to track states and route packets in which different subnets that are both source and destination at the same time are often dropped by routers because it's a popular attack point for hackers.  It would probably work for a hub, but not so much for any switch that uses a states table.