News: This forum is now permanently frozen.
linktree m0n0wall Forum  >  m0n0wall Support (English)  >  Firewall/NAT
linktree Topic: Destination WAN address is dead end road?
Pages: [1]
Topic: Destination WAN address is dead end road?  (Read 2274 times)
« on: April 26, 2010, 05:17:22 »
udippel *
Posts: 17
Here I am running a number of networks off m0n0wall.
If I set
*      LAN2 net      *      any      *      Default LAN2 -> any
everything works, except that - of course - LAN2 can see LAN and WLAN, etc.
But this is not what I want. I want LAN2 to just go out without seeing any other network:
*      LAN2 net      *      WAN address      *      Default LAN2 -> WAN only

Though, this does not work. It sets the firewall rule to
pass in quick from 192.168.1.0/24 to 172.20.16.207 keep state group 300
and that's what it does: It can't even ping its own gateway; and neither leave the WAN address at all.
I have already tried to allow
172.20.16.0/24 instead of 'WAN address'
and now I can ping the gateway to the outside on the WAN: 172.20.16.1 as well. But somehow it doesn't know that this is the gateway ...

In a nutshell:
How can I simply set LAN2 (or any other of the networks) to allow outgoing without seeing all other networks?

Uwe
« Reply #1 on: April 26, 2010, 05:56:10 »
SteveEast *
Posts: 30
You could permit all LAN2 traffic that is NOT going to the LAN.

Problem comes when there are a lot of subnets; then you would have to block each one individually and end with a permit all. Easy to miss one.

Steve.
« Reply #2 on: April 26, 2010, 11:17:15 »
udippel *
Posts: 17
Quote from: SteveEast on April 26, 2010, 05:56:10
You could permit all LAN2 traffic that is NOT going to the LAN.
Problem comes when there are a lot of subnets; then you would have to block each one individually and end with a permit all. Easy to miss one.


Exactly. I have 4 subnets as of now, and was hoping for a straightforward solution. One that follows the logic of "from Net1 to Net2" as compared to "from Net1 to any".

I wonder, why do the packets on the WAN interface not see/know their gateway with 'Lan2->WAN'; though they do know about the gateway with 'LAN2->any'? Where does this info come from, if not from the settings of the WAN interface?

Uwe
« Reply #3 on: April 26, 2010, 15:03:59 »
SteveEast *
Posts: 30
Are you sure about not seeing the gateway? Have you done a traceroute? With the /24 allow in place I would expect packets for the outside world to be discarded after they hit the gateway address.

Steve.
« Reply #4 on: April 27, 2010, 04:22:20 »
udippel *
Posts: 17
Quote from: SteveEast on April 26, 2010, 15:03:59
Are you sure about not seeing the gateway? Have you done a traceroute? With the /24 allow in place I would expect packets for the outside world to be discarded after they hit the gateway address.

I try to understand you. In the following I set 'LAN2->WAN pass any' (which in my humble opinion should allow outgoing packets to WAN (172.20.16.0/24) and beyond).
The relevant part of the rules:
pass in quick from 192.168.1.0/24 to 172.20.16.0/24 keep state group 300

I don't see the gateway of the LAN2 network (192.168.1.0/24):
$ ping 192.168.1.200
PING 192.168.1.200 (192.168.1.200): 56 data bytes
--- 192.168.1.200 ping statistics ---
4 packets transmitted, 0 packets received, 100.0% packet loss

I do see the address of m0nowall on the WAN (172.20.16.207) and all addresses in the WAN network; including the gateway of the WAN network (172.20.16.1):
$ ping 172.20.16.207
PING 172.20.16.207 (172.20.16.207): 56 data bytes
64 bytes from 172.20.16.207: icmp_seq=0 ttl=64 time=0.336 ms
$ ping 172.20.16.1   
PING 172.20.16.1 (172.20.16.1): 56 data bytes
64 bytes from 172.20.16.1: icmp_seq=0 ttl=254 time=0.608 ms

But there is nothing beyond the WAN:
$ ping 172.16.0.4
PING 172.16.0.4 (172.16.0.4): 56 data bytes
--- 172.16.0.4 ping statistics ---
3 packets transmitted, 0 packets received, 100.0% packet loss

Since it can reach the gateway, but not go beyond it, I have the feeling that the packets simply don't know about the gateway of the WAN network. Why??

Here come the traceroutes:

1. to the WAN gateway:
$ traceroute 172.20.16.1
traceroute to 172.20.16.1 (172.20.16.1), 64 hops max, 40 byte packets
 1  192.168.1.200 (192.168.1.200)  0.337 ms  0.412 ms  0.287 ms
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  * * *

2. to an outside address beyond the WAN:
$ traceroute 172.16.0.4                                                       
traceroute to 172.16.0.4 (172.16.0.4), 64 hops max, 40 byte packets
 1  * * *
 2  * * *
 3  * * *
 4  * * *


If I do 'any' destination:
pass in quick from 192.168.1.0/24 to any keep state group 300
however, everything is fine:

$ ping 192.168.1.200     
PING 192.168.1.200 (192.168.1.200): 56 data bytes
64 bytes from 192.168.1.200: icmp_seq=0 ttl=64 time=0.310 ms

$ ping 172.16.0.4       
PING 172.16.0.4 (172.16.0.4): 56 data bytes
64 bytes from 172.16.0.4: icmp_seq=0 ttl=251 time=0.949 ms

Everything okay until here. Is it?:

$ traceroute 172.16.0.4 
traceroute to 172.16.0.4 (172.16.0.4), 64 hops max, 40 byte packets
 1  192.168.1.200 (192.168.1.200)  0.283 ms  0.287 ms  0.299 ms
 2  * * *
 3  * * *
 4  * * *
 5  * * *

Would '*' not include all ICMP?

Since all echo requests are allowed, I guess it is a m0n0wall bug. Because from m0n0wall itself I can traceroute that same address:

Note: Traceroute may take a while to complete. You may hit the Stop button on your browser at any time to see the progress of failed traceroutes.

Traceroute output:

traceroute to 172.16.0.4 (172.16.0.4), 18 hops max, 40 byte packets
 1  172.20.16.1  0.547 ms  0.419 ms  0.369 ms
 2  172.20.27.5  0.530 ms  0.446 ms  0.478 ms
 3  172.16.2.243  1.640 ms  0.759 ms  0.725 ms
 4  172.16.0.4  1.086 ms  0.688 ms  0.618 ms


In an nutshell, there is a bunch of illogical behaviours here:
Traceroute is supposed to work with 'LAN2->any->any', if it works from m0n0wall itself.
If LAN2 can reach the gateway, there is no reason to disallow the packets to go further. (Yes, I read and understood the 'whatever is not explicitly allowed is denied. But it makes not much of sense that one has to allow all ('any') to reach the outside, and then cut down by blocking everything that one doesn't want to be reached. A single 'any from LAN to WAN' should allow to reach the outside, as far as I am concerned.)

Should anything be unclear, please ask.


Uwe


I'll add the complete rules as set up by my m0n0wall. The difference between the two cases is:
$ diff rules1 rules2
95c95
< pass in quick from 192.168.1.0/24 to 172.20.16.0/24 keep state group 300
---
> pass in quick from 192.168.1.0/24 to any keep state group 300
$

# loopback
pass in quick on lo0 all
pass out quick on lo0 all
# block short packets
block in log quick all with short

# block IP options
block in log quick all with ipopts

# allow access to DHCP server on LAN
pass in quick on fxp3 proto udp from any port = 68 to 255.255.255.255 port = 67
pass in quick on fxp3 proto udp from any port = 68 to 192.168.116.200 port = 67
pass out quick on fxp3 proto udp from 192.168.116.200 port = 67 to any port = 68

# allow access to DHCP server on opt1
pass in quick on fxp1 proto udp from any port = 68 to 255.255.255.255 port = 67
pass in quick on fxp1 proto udp from any port = 68 to 192.168.1.200 port = 67
pass out quick on fxp1 proto udp from 192.168.1.200 port = 67 to any port = 68

# allow access to DHCP server on opt3
pass in quick on ath0 proto udp from any port = 68 to 255.255.255.255 port = 67
pass in quick on ath0 proto udp from any port = 68 to 10.10.42.200 port = 67
pass out quick on ath0 proto udp from 10.10.42.200 port = 67 to any port = 68

# WAN spoof check
block in log quick on fxp0 from 192.168.116.0/24 to any
block in log quick on fxp0 from 192.168.1.0/24 to any
block in log quick on fxp0 from 172.24.0.200/31 to any
block in log quick on fxp0 from 10.10.42.0/24 to any

# allow our DHCP client out to the WAN
# XXX - should be more restrictive
# (not possible at the moment - need 'me' like in ipfw)
pass out quick on fxp0 proto udp from any port = 68 to any port = 67
block in log quick on fxp0 proto udp from any port = 67 to 192.168.116.0/24 port = 68
pass in quick on fxp0 proto udp from any port = 67 to any port = 68

# LAN/OPT spoof check (needs to be after DHCP because of broadcast addresses)
block in log quick on fxp3 from ! 192.168.116.0/24 to any
block in log quick on fxp1 from ! 192.168.1.0/24 to any
block in log quick on fxp2 from ! 172.24.0.200/31 to any
block in log quick on ath0 from ! 10.10.42.0/24 to any

# Block TCP packets that do not mark the start of a connection
skip 1 in proto tcp all flags S/SAFR
block in log quick proto tcp all

#---------------------------------------------------------------------------
# group head 100 - LAN interface
#---------------------------------------------------------------------------
block in log quick on fxp3 all head 100

# let out anything from the firewall host itself and decrypted IPsec traffic
pass out quick on fxp3 all keep state

#---------------------------------------------------------------------------
# group head 200 - WAN interface
#---------------------------------------------------------------------------
block in log quick on fxp0 all head 200

# let out anything from the firewall host itself and decrypted IPsec traffic
pass out quick on fxp0 all keep state
      
#---------------------------------------------------------------------------
# group head 300 - opt1 interface
#---------------------------------------------------------------------------
block in log quick on fxp1 all head 300

# let out anything from the firewall host itself and decrypted IPsec traffic
pass out quick on fxp1 all keep state
      
#---------------------------------------------------------------------------
# group head 400 - opt2 interface
#---------------------------------------------------------------------------
block in log quick on fxp2 all head 400

# let out anything from the firewall host itself and decrypted IPsec traffic
pass out quick on fxp2 all keep state
      
#---------------------------------------------------------------------------
# group head 500 - opt3 interface
#---------------------------------------------------------------------------
block in log quick on ath0 all head 500

# let out anything from the firewall host itself and decrypted IPsec traffic
pass out quick on ath0 all keep state

# make sure the user cannot lock himself out of the webGUI
pass in quick from 192.168.116.0/24 to 192.168.116.200 keep state group 100

# User-defined rules follow
block in quick from 10.10.42.0/24 to 192.168.116.0/24 group 500
block in quick from 10.10.42.0/24 to 192.168.1.0/24 group 500
pass in quick from 10.10.42.0/24 to any keep state group 500
pass in quick from 192.168.1.0/24 to any keep state group 300
pass in quick from 192.168.116.0/24 to any keep state group 100
   
#---------------------------------------------------------------------------
# default rules (just to be sure)
#---------------------------------------------------------------------------
block in log quick all
block out log quick all
 
Pages: [1]
 
 
Powered by SMF 1.1.20 | SMF © 2013, Simple Machines