General Questions

For some time, a client has been running M0n0wall 1.231 on a little Net48xx box. Today I attempted to move one of their servers to the DMZ port, but discovered traffic ended up heading out to the internet instead... Even ping/traceroute from the m0n0wall box went out that way.

Now there's 2 possibilities... I'm doing something stupid, or the box is.
First thing I'm wondering is that my choice of 192.168.1.0/24 and 192.168.11.0/24 for the LAN and DMZ is wrong... Is it?
Second, perhaps I've set up the firewall or NAT rules poorly resulting in sending traffic to the WAN.

Config is attached (hopefully with all the private bits removed)...


Edit: Also, I know the build is older, but I don't really want to do any major changes like that unless someone confirms it's a known issue.

For some time, a client has been running M0n0wall 1.231 on a little Net48xx box. Today I attempted to move one of their servers to the DMZ port, but discovered traffic ended up heading out to the internet instead... Even ping/traceroute from the m0n0wall box went out that way.

Did you use 1:1 NAT to do this or just setup a forward rule for ports 1-65535 to the box?

Now there's 2 possibilities... I'm doing something stupid, or the box is.
First thing I'm wondering is that my choice of 192.168.1.0/24 and 192.168.11.0/24 for the LAN and DMZ is wrong... Is it?
Second, perhaps I've set up the firewall or NAT rules poorly resulting in sending traffic to the WAN.

Config is attached (hopefully with all the private bits removed)...


Edit: Also, I know the build is older, but I don't really want to do any major changes like that unless someone confirms it's a known issue.

While there isn't a technical "DMZ" function in m0n0wall, mainly because all DMZ does is the same as just forwarding every port to a single host. 1:1 does that, so it could be considered similar to a DMZ function.

Any reason why you need to forward every port instead of the ones used by the server?

No, no... I'm after a real DMZ setup, not a home router style all ports forwarded job. I want a number of servers separated into their own LAN segment.

I have configured the DMZ interface with an IP in a different range, and then gave it a rule to allow all traffic (during testing so I know it works).
I attempted to ping a server that is sitting on the DMZ side (in the same IP range) but didn't get a reply.
Then I attempted a traceroute (from the monowall web interface), and discovered the first hop is the ISP router. Surely this shouldn't happen if one of it's interfaces belongs to the range I am trying to ping.

What I guess I need is for someone to check my config and figure out why it's sending internally generated packets to the WAN interface when it should go to the DMZ one.

How to set up DMZ is covered in the Handbook

http://doc.m0n0.ch/handbook-single/#id11642784

[THE MONOWALL BOX IS SENDING PACKETS THAT SHOULD GO TO DMZ OUT THE WAN INTERFACE]

Yes, I read that. It doesn't help because I'd already gotten as far as configuring the interface and creating firewall rules to let things in/out.

THE MONOWALL BOX IS SENDING PACKETS THAT SHOULD GO TO DMZ OUT THE WAN INTERFACE
Can I make that any clearer? If I ask the monowall box itself to ping the DMZ network, it sends packets to the WAN interface, which is obviously wrong.

Is this a bug in the version I'm using, or a config error I've made? That's all I need to know.

[THE MONOWALL BOX IS SENDING PACKETS THAT SHOULD GO TO DMZ OUT THE WAN INTERFACE]

Yes, I read that. It doesn't help because I'd already gotten as far as configuring the interface and creating firewall rules to let things in/out.

THE MONOWALL BOX IS SENDING PACKETS THAT SHOULD GO TO DMZ OUT THE WAN INTERFACE
Can I make that any clearer? If I ask the monowall box itself to ping the DMZ network, it sends packets to the WAN interface, which is obviously wrong.

Is this a bug in the version I'm using, or a config error I've made? That's all I need to know.

Ok, I think we are just having a mix up of terminology here that's all.
1:1 NAT is what you are looking for if you are putting it in the same category as DMZ, as you can 1:1 as many servers as you have public IPs available.

If afterwards, the servers are still going outbound as the firewall, it's because you need to turn on the Advanced NAT to solve this issue of what outbound IP these servers will appear to be.

Hmmm. I had considered looking at advanced NAT, but ignored it because it seemed to be a routing issue.

They only have one public IP too which means 1:1 isn't suitable... But if the advanced NAT stuff shows me something obvious (once I remember how to get into the box remotely ) I guess I'll be on my way anyway. Setting up the port forward rules shouldn't hold me up.


Edit: OK, without any further changes, the thing is letting me ping the DMZ now with traffic going the right way... So I guess it's routing was just stuffed (though I'm sure I rebooted it at one stage on Saturday while trying to make it work).
Would this be something to do with not having a link on the DMZ port when the WAN port came up? Is it going to be an issue in the future?