Firewall/NAT

Hello,

I've got the following problem:

We've got a netgear router as outgoing firewall/router to the internet. Behind the netgear router we've placed a monowall as a secondary firewall. The LAN-port of the netgear is 192.168.10.1; the WAN-port of the monowall is 192.168.10.2

We've got a DMZ (192.168.1.0/24) and a LAN (192.168.0.0/24) behind the monowall.

This setting works without any problems.

The netgear router is the endpoint of an VPN-IPSEC-tunnel over the internet to another LAN with subnet 192.168.20.0/24. We tested ping and remote desktop from workstation 192.168.0.23 and could access 192.168.20.3, but it doesn't work the other way round.

The netgear router routes 192.168.0.0/24 and 192.168.1.0/24 to the monowall (192.168.10.2). This works, because we could ping 192.168.10.2 from 192.168.20.3.

Our main goal is, that all machines on 192.168.20.0/24 are able to access 192.168.0.0./24 (monowall LAN) and 192.168.1.0/24 (monowall DMZ) without restrictions.

To establish this we used the monowall rule on WAN
Proto:*   Source:192.168.20.0/24    Port:*     Destination:LAN net    Port:*

We could see that this works, when we enabled logging for this rule.

Unfortunately no service works.

When we add a specific inbound NAT, e.g. 22, for a specific target machine SSH works fine. But that's not our goal.

Best regards

FordPrefect

I'd terminate the IPSec on the m0n0wall rather than the Netgear - enable IPSec passthrough.

There may be other ways around this, but my brain is a bit fried today.

The reason it works outbound is because the m0n0 is keeping state, so it knows to let the reply back through.

HM.

Is m0n0wall's WAN on private IP space?

For one, you'll need to uncheck the block private IP's on the LAN.

Second, you can't get back to those because you're NAT'ing on m0n0wall. You'll need to disable NAT if you need to route as you describe. Then you'll need static routes on the Netgear pointing that DMZ and LAN subnet to m0n0wall's WAN IP.