News: This forum is now permanently frozen.
linktree m0n0wall Forum  >  m0n0wall Support (English)  >  Firewall/NAT
linktree Topic: [solved] Single wan ip -> inbound nat to lan & dmz issue
Pages: [1]
Topic: [solved] Single wan ip -> inbound nat to lan & dmz issue  (Read 1889 times)
« on: February 15, 2010, 16:02:50 »
RoyQ *
Posts: 2
Hello,

I'm running M0n0wall (release 1.3) on a PCEngines ALIX 2d13 board with 3 nic's configured as wan, lan and dmz.

wan : single external IP
lan subnet: 172.16.211.x /26
dmz subnet: 172.16.111.x /26

I have NAT rules for 80/TCP, 443/TCP and 22/TCP from wan to a server (172.16.211.1) on the lan subnet. The firewall rules on the wan interface allow traffic on these ports to the lan subnet. Everything works perfectly. I can access the webserver from outside and I can connect using SSH. So basically nat works and the firewall ruleset works.

I have setup a testserver (172.16.111.1) on the DMZ and set the NAT rule to allow 3389/TCP from wan to the testserver on the dmz subnet. The firewall rule on the wan interface allows for connections on 3389/TCP to the dmz subnet.

--> This does not work. I can not connect to the testserver from the outside.

In a troubleshooting effort I've also setup firewall rules to allow connection to 3389/TCP from lan. This works, so I know the server accepts connections and I know the firewall rule works (well at least from lan to dmz).

Another thing I tried was setting up a different service (telnet) on the dmz, configured nat and firewall rules for 23/TCP and see if I could get through the m0n0wall from the outside using telnet. Doesn't work either. So it doesn't seem to be a specific port issue.

I can't figure out why I can't connect to the dmz. Apart from the name (dmz and lan) the configuration is setup similar.

Question 1: m0n0wall does support using a single wan IP address and NAT ports to either lan and dmz (e.g. from a single wan IP nat 22/TCP to a host on lan and 3389/TCP to a host on dmz) ?

Question 2: Does anyone have an idea how to further troubleshoot this and make it work?

Thanks,
Roy
« Last Edit: February 15, 2010, 20:38:47 by RoyQ »
« Reply #1 on: February 15, 2010, 20:38:32 »
RoyQ *
Posts: 2

Note to self .... stupid.

Was doing a million things at once this weekend, one of which was replacing the ADSL modem in front of m0n0wall. Put a basic config on it to have at least some internet connectivity and also a note saying that after dinner I'd put it back in bridge mode and configure DHCP spoofing ... which of course I didn't do ;-)

Long story short, the modem's NAT blocked the new connections (apparently I uploaded an old config which did contain the 80/TCP, 443/TCP and 22/TCP nat and fw rules).

Lesson learned, always check to see if you double NAT somewhere ;-)
 
Pages: [1]
 
 
Powered by SMF 1.1.20 | SMF © 2013, Simple Machines