Firewall/NAT

First, I'm new to Monowall, so please have patience.  I have a wireless router connected to the Opt2 port.  I want the traffic going through this port to be able to access the internet only, not the LAN.   I have followed the setup in the DMZ section number 13 in the handbook.

I have set a rule in WAN to pass to any.

I have set a rule in Opt2 from the Opt2 interface to Allow the source Opt2 subnet with NOT to LAN on the destination.

Are there other rules I need to put into place to make this work?

The LAN and WAN are functioning correctly on the firewall.

Thank you in advance.

It is important to make sure that the rules are in the correct order.  I'm not sure that your first rule is correct, as you don't add it to the WAN.  The rules work on traffic entering the Monowall not exiting.  I tend not to use the NOT feature as I makes the logic more complicated.  You need 2 rules on the opt interface.  The first rule blocks all traffic from the opt subnet to the LAN, the second rule allows traffic from the opt subnet to any.  As the rules are processed in order, it will block all traffic to the LAN yet still allow traffic to anywhere else.

These are the two rules I have now for the Opt2 (Wireless)

X = block, A = Allow

X-A / Prot / Source / Port / Destination / Port
----------------------------------------------------------

X / * / Opt2 / * / LAN net/ *
A / * / Opt2 / * / * / *


I am blocking traffic to the LAN now and allowing traffic to any in the order you suggested.  When I connect to the wireless, I can ping the firewall itself, but I can not ping nor load any webpages, either by URL or by IP address.

I can ping websites such as yahoo by both name and IP address while wired into the LAN.

Are there other rules I need to look at possibly?  Maybe another setting not necessarily in rules?

I've double checked the Opt2 (Wireless) interface, it is enabled, bridged with none, and has the correct IP address with a 255.255.255.0 mask, so the setting is /24.

Any further help would be greatly appreciated, thank you in advance.

Minor tweaking of IP addresses along with the rules you provided.  Thank you for your help.

Happy to help, thaks for coming back to let us know it worked.

I have an issue now with VPN using this newly configured Opt2 port.

To review, Opt2 is a wireless router, I've made the changes on the router to allow PPTP traffic to pass through.  The Opt2 port is not allowed to see the LAN per the rule in the posts above.

Opt2 port is able to see the internet successfully and is not allowed to access any of the LAN computers.  I have a PPTP VPN that works correctly via port 1723 set up on the WAN port on the monowall.  There are both a WAN rule and a WAN NAT entry pointing to the internal IP address of the Domain controller for VPN authentication.  It works flawlessly and without issue.

I have implemented the same rule and NAT entry for the OPT2 port.  Without those entries, the VPN would not even connect to the network saying the PPTP server did not accept incoming connections.  Once I made the NAT entry for OPT2 pointing to the internal IP address of the domain controller, the VPN was able to get to the point where it states "verifying user name and password."

And that's where it stops.

I have a hunch that since the OPT2 port is blocked from the LAN, and the NAT points to the internal address of the domain controller, this is where the hangup is.  But, again, I'm new to this.  Are there other rules, ports or entries that could be made to remedy this?

I assume that your VPN server is located on your LAN.  in which case, you do not need to use NAT from the opt interface.  Rather create a rule allowing from TCP opt subnet any port to vpn server  port 1723.  Also a rule to allow GRE from opt subnet to the PPTP Server.  The 2 rules need to go in above the block all to LAN rule.  Again, as the rules are processed in order, it will allow the VPN traffic but block everything else while allowing traffic to the internet.

If I omit the NAT rule, the VPN spins its wheels searching for the login server, so I believe that is necessary to leave in the NAT section.  I put the NAT rule back in and then it sat at the verifying username and password, which means that as far as I can see, it is reaching the login server.  The login server is a domain controller and has routing enabled as well, I may have to look into the way the routing is set up on the DC now.

I have added the rules you suggested, with entries before the "deny to LAN" but it is still sitting at the username/password thing, so I think it is getting where it needs to go, but something is stopping it on the LAN side possibly.

New symptom to add...

We have one external IP address here.  We also have webmail set up on the internal server that hosts the VPN connection(domain controller and exchange server as well).  When we try to go to the webmail server at mail.******.com, the login shows up for the monowall gui when going through the Opt port which is connected to the wireless router here.  If you are connected from home via VPN, going through the WAN, it goes to the webmail correctly.

I wonder if that could also be affecting the login from VPN and why it is spinning its wheels at the username and password when connected to the Opt port?  My guess is that it is just sitting at the firewall and may not actually be reaching the VPN server itself for authentication.

Can you post an edited copy of your config xml file so we can have a look at exactly how you have set things up?

I hope this is somewhat understandable with all the breaks in the code...
Thank you again for your patience and review.

<?xml version="1.0"?>
<m0n0wall>
   <version>1.6</version>
   <lastchange>1257184616</lastchange>
   <system>
      <hostname>m0n0wall</hostname>

      <domain>*****</domain>
      <dnsallowoverride/>
      <username>admin</username>
      
<password>************</password>
      <timezone>America/Detroit</timezone>
      <time-update-interval>300</time-update-interval>

      <timeservers>pool.ntp.org</timeservers>
      <webgui>
         <protocol>http</protocol>
         
<port/>
         <certificate/>
         <private-key/>
      </webgui>
      <harddiskstandby/>
      
<dnsserver>*********</dnsserver>
      <dnsserver>*******</dnsserver>
      <dnsserver>********</dnsserver>
   </system>
   <interfaces>

      <lan>
         <if>vr0</if>
         <ipaddr>10.100.0.1</ipaddr>
         <subnet>24</subnet>

         <media/>
         <mediaopt/>
      </lan>
      <wan>
         <if>rl0</if>

         <mtu/>
         <media/>
         <mediaopt/>
         <spoofmac/>
         
<ipaddr>*********</ipaddr>
         <subnet>28</subnet>
         <gateway>********</gateway>

      </wan>
      <opt1>
         <if>rl1</if>
         <descr>OPT1</descr>
         
<ipaddr>10.100.4.3</ipaddr>
         <subnet>24</subnet>
         <bridge/>
         <enable/>
      
</opt1>
      <opt2>
         <if>rl2</if>
         <descr>Wireless</descr>
         
<ipaddr>10.100.4.1</ipaddr>
         <subnet>24</subnet>
         <bridge/>
      </opt2>
   </interfaces>
   
<staticroutes/>
   <pppoe/>
   <pptp/>
   <bigpond/>
   <dyndns>
      <type>dyndns</type>
      <username/>
      
<password/>
      <host/>
      <mx/>
      <server/>
      <port/>
   </dyndns>
   <dnsupdate/>
   <dhcpd>
      
<lan>
         <enable/>
         <range>
            <from>192.168.1.100</from>
            
<to>192.168.1.199</to>
         </range>
      </lan>
   </dhcpd>
   <pptpd>
      <mode>redir</mode>
      
<redir>10.100.0.10</redir>
      <localip/>
      <remoteip/>
      <radius>
         <server/>
         
<secret/>
      </radius>
   </pptpd>
   <dnsmasq>
      <enable/>
   </dnsmasq>
   <snmpd>
      
<syslocation/>
      <syscontact/>
      <rocommunity>public</rocommunity>
   </snmpd>
   <diag>
      <ipv6nat>
         
<ipaddr/>
      </ipv6nat>
   </diag>
   <bridge>
      <filteringbridge/>
   </bridge>
   <syslog/>
   
<nat>
      <rule>
         <protocol>tcp</protocol>
         <external-port>21</external-port>
         
<target>10.100.0.10</target>
         <local-port>21</local-port>
         <interface>wan</interface>
         
<descr>FTP Service</descr>
      </rule>
      <rule>
         <protocol>tcp</protocol>
         
<external-port>25</external-port>
         <target>10.100.0.10</target>
         <local-port>25</local-port>
         
<interface>wan</interface>
         <descr/>
      </rule>
      <rule>
         <protocol>tcp</protocol>

         <external-port>53</external-port>
         <target>10.100.0.10</target>
         
<local-port>53</local-port>
         <interface>wan</interface>
         <descr>DNS</descr>
      
</rule>
      <rule>
         <protocol>tcp</protocol>
         <external-port>80</external-port>
         
<target>10.100.0.10</target>
         <local-port>80</local-port>
         <interface>wan</interface>
         
<descr/>
      </rule>
      <rule>
         <protocol>tcp</protocol>
         <external-port>110</external-port>

         <target>10.100.0.10</target>
         <local-port>110</local-port>
         
<interface>wan</interface>
         <descr/>
      </rule>
      <rule>
         <protocol>tcp</protocol>

         <external-port>137</external-port>
         <target>10.100.0.10</target>
         
<local-port>137</local-port>
         <interface>wan</interface>
         <descr>WINS</descr>
      </rule>
      <rule>

         <protocol>tcp</protocol>
         <external-port>143</external-port>
         
<target>10.100.0.10</target>
         <local-port>143</local-port>
         <interface>wan</interface>
         
<descr/>
      </rule>
      <rule>
         <protocol>tcp</protocol>
         
<external-port>443</external-port>
         <target>10.100.0.10</target>
         <local-port>443</local-port>
         
<interface>wan</interface>
         <descr/>
      </rule>
      <rule>
         <protocol>tcp</protocol>

         <external-port>1723</external-port>
         <target>10.100.0.10</target>
         
<local-port>1723</local-port>
         <interface>wan</interface>
         <descr>VPN Port</descr>
      </rule>
      <rule>

         <protocol>tcp</protocol>
         <external-port>3389</external-port>
         
<target>10.100.0.10</target>
         <local-port>3389</local-port>
         <interface>wan</interface>
         
<descr/>
      </rule>
      <rule>
         <protocol>tcp</protocol>
         
<external-port>65000-65100</external-port>
         <target>10.100.0.10</target>
         
<local-port>65000</local-port>
         <interface>wan</interface>
         
<descr>Firewall Ports to allow FTP to function.</descr>
      </rule>
      <rule>
         <protocol>tcp</protocol>
         
<external-port>1723</external-port>
         <target>10.100.0.10</target>
         <local-port>1723</local-port>
         
<interface>opt1</interface>
         <descr/>
      </rule>
      <portrange-low/>
      <portrange-high/>
   
</nat>
   <filter>
      <rule>
         <interface>wan</interface>
         <protocol>tcp</protocol>
         
<source>
            <any/>
         </source>
         <destination>
            
<address>10.100.0.10</address>
            <port>21</port>
         </destination>
         
<descr>NAT FTP Service</descr>
      </rule>
      <rule>
         <interface>wan</interface>
         
<protocol>tcp</protocol>
         <source>
            <any/>
         </source>
         
<destination>
            <address>10.100.0.10</address>
            <port>25</port>
         
</destination>
         <descr>NAT </descr>
      </rule>
      <rule>
         <interface>wan</interface>
         
<protocol>tcp</protocol>
         <source>
            <any/>
         </source>
         
<destination>
            <address>10.100.0.10</address>
            <port>143</port>
         
</destination>
         <descr>NAT </descr>
      </rule>
      <rule>
         <interface>wan</interface>
         
<protocol>tcp</protocol>
         <source>
            <any/>
         </source>
         
<destination>
            <address>10.100.0.10</address>
            <port>110</port>
         
</destination>
         <descr>NAT </descr>
      </rule>
      <rule>
         <interface>wan</interface>
         
<protocol>tcp</protocol>
         <source>
            <any/>
         </source>
         
<destination>
            <address>10.100.0.10</address>
            <port>3389</port>
         
</destination>
         <descr>NAT </descr>
      </rule>
      <rule>
         <interface>wan</interface>
         
<protocol>tcp</protocol>
         <source>
            <any/>
         </source>
         
<destination>
            <address>10.100.0.10</address>
            <port>80</port>
         </destination>
   
      <descr>NAT </descr>
      </rule>
      <rule>
         <interface>wan</interface>
         
<protocol>tcp</protocol>
         <source>
            <any/>
         </source>
         
<destination>
            <address>10.100.0.10</address>
            <port>443</port>
         
</destination>
         <descr>NAT </descr>
      </rule>
      <rule>
         <interface>wan</interface>
         
<protocol>tcp</protocol>
         <source>
            <any/>
         </source>
         
<destination>
            <address>10.100.0.10</address>
            <port>1723</port>
         
</destination>
         <descr>NAT VPN Port</descr>
      </rule>
      <rule>
         <interface>wan</interface>

         <protocol>tcp</protocol>
         <source>
            <any/>
         
</source>
         <destination>
            <address>10.100.0.10</address>
            
<port>65000-65100</port>
         </destination>
         <descr>NAT </descr>
      </rule>
      <rule>
         
<interface>wan</interface>
         <protocol>tcp</protocol>
         <source>
            
<any/>
         </source>
         <destination>
            <address>10.100.0.10</address>
            
<port>137</port>
         </destination>
         <descr>NAT WINS</descr>
      </rule>
      <rule>
         
<interface>wan</interface>
         <protocol>tcp</protocol>
         
<source>
            <any/>
         </source>
         <destination>
            
<address>10.100.0.10</address>
            <port>53</port>
         </destination>
         
<descr>NAT DNS</descr>
      </rule>
      <rule>
         <type>pass</type>
         
<interface>wan</interface>
         <protocol>tcp</protocol>
         
<source>
            <any/>
         </source>
         <destination>
            
<address>10.100.0.10</address>
            <port>995</port>
         </destination>
         
<descr>Gmail Incoming POP3</descr>
      </rule>
      <rule>
         <type>pass</type>
         
<interface>wan</interface>
         <protocol>tcp</protocol>
         
<source>
            <any/>
         </source>
         <destination>
            
<address>10.100.0.10</address>
            <port>465</port>
         </destination>
         
<descr>Gmail Outgoing SMTP</descr>
      </rule>
      <rule>
         <type>pass</type>
         
<interface>pptp</interface>
         <protocol>gre</protocol>
         <source>
            
<network>opt2</network>
         </source>
         <destination>
            
<address>10.100.0.10</address>
         </destination>
         <descr>GRE</descr>
      </rule>
      <rule>
         
<type>pass</type>
         <interface>opt2</interface>
         <protocol>tcp</protocol>
         <source>

            <network>opt2</network>
         </source>
         <destination>
            
<network>lan</network>
            <not/>
         </destination>
         <descr/>
      </rule>
      <rule>

         <type>pass</type>
         <interface>opt2</interface>
         <protocol>tcp</protocol>

         <source>
            <network>opt2</network>
         </source>
         
<destination>
            <any/>
         </destination>
         <descr>Wireless to Any</descr>
      
</rule>
      <rule>
         <type>pass</type>
         <interface>opt1</interface>
         
<source>
            <network>opt1</network>
         </source>
         <destination>
            
<network>lan</network>
            <not/>
         </destination>
         <log/>
         
<descr>Opt1 not LAN</descr>
      </rule>
      <rule>
         <type>pass</type>
         
<interface>opt1</interface>
         <source>
            <any/>
         </source>
         
<destination>
            <network>opt1</network>
         </destination>
         <descr/>
      
</rule>
      <rule>
         <type>pass</type>
         <interface>opt1</interface>
         
<source>
            <network>opt1</network>
         </source>
         
<destination>
            <any/>
         </destination>
         <log/>
         
<descr>Opt1 Any</descr>
      </rule>
      <rule>
         <type>pass</type>
         <interface>opt1</interface>

         <protocol>tcp/udp</protocol>
         <source>
            <any/>
         
</source>
         <destination>
            <any/>
            <port>53</port>
         
</destination>
         <descr>DNS</descr>
      </rule>
      <rule>
         <type>pass</type>
         
<interface>opt1</interface>
         <protocol>gre</protocol>
         <source>
            
<network>opt1</network>
         </source>
         <destination>
            <network>lan</network>
         
</destination>
         <descr/>
      </rule>
      <rule>
         <type>pass</type>
         
<descr>Default LAN -&gt; any</descr>
         <interface>lan</interface>
         <source>
            
<network>lan</network>
         </source>
         <destination>
            <any/>
         
</destination>
      </rule>
      <tcpidletimeout/>
   </filter>
   <shaper/>
   <ipsec/>
   <aliases/>
   
<proxyarp/>
   <wol/>
</m0n0wall>

I know there is a lot going on in this thread, but I'll try to summarize what I have going on here.

We have one external IP address to deal with.  One server running as domain controller, VPN authenticator, and email/webmail server listening on mail.***.com

Wireless access point inside the building here that we want to go through Opt port to the internet only, no LAN access.  Then, ability to log onto VPN and webmail from the wirelessly connected laptops.

When connected to WAN, from home for instance, VPN and webmail URL work flawlessly.

When connected to wireless router, through Opt port, able to get to internet, unable to see LAN.  However, VPN hangs at verifying username and password.  Also, going to webmail URL of mail.***.com brings up prompt to log into monowall webgui.

For visual clarification, diagram:

http://img266.imageshack.us/img266/8199/74361037.jpg

If you are trying to connect to the WAN IP, or a hostname that resolves to the WAN IP from machines behind the m0n0wall, then this will not work. You will have to use the local private IP address or a hostname that resolves to that address.

Are there any possible scenario of settings or configurations where the wireless access point would be able to access the internet only (no LAN access) and still be able to reach the internal server via the WAN address?

The reason I ask is because the president of the company only wants the wireless to have internet access for guests visiting the company.  He also wants employees in meeting rooms, for example, to be able to still VPN into the network here to have access to things such as file servers via a wireless connection.

OK,

The first thing I notice from your config is that the Opt1 and Opt2 interfaces are both on the same subnet.  This will not work as monowall will not know where to direct the traffic to, they need to be separate subnets.

Next, it looks like you have DHCP enabled on your LAN providing addresses on a different subnet.  (This is enabled by default so you might not have noticed this.)  If you do want to use DHCP from the monowall, you need to amend the subnet, or else, turn it off.

The next thing I notice is that you have enabled the PPTP server in redirect mode, but have also created the rules for NATing the PPTP inwards.  This could be causing confusion in the router.  I suggest one or the other.  The simplest way might be to remove the PPTP NAT & rules and go with the PPTP redirection.  I'm not sure if that option automatically adds a rule.

A useful debugging tip is judicious use of logging.  If you add a block all rule to the end of each rule list, and choose to log this, you can see if things are getting blocked.  When I say judicious use, I mean not turning logging on for all interfaces at the same time, as this will flood your log file with extra data and make it difficult to see what you are looking for.