General Questions

We have a very basic set-up.  Soekris 5501 with WAN, LAN and DMZ nics.  The WAN IP is static.  The access from the WAN to the server(s) in the DMZ are NAT'ed and appear to be working fine (recieving email and can access www and webmail).  Can get out through the LAN to WAN with no problem also. But I cannot get the systems on the LAN to have access to the servers on the DMZ.  I need the LAN systems to be able to access email  and web server in the DMZ.


Can someone clue me in please.

Thank you.

Dan

See m0n0wall Handbook Section 13.1.5

http://doc.m0n0.ch/handbook-single/#id11642778

Thanks Fred.

What is a little confusing is that section applies specifically for access services on the LAN from the DMZ.  This set up seems a little odd to me.  I would think, in a small office, where the email and web server is on the DMZ, people on the LAN would need to access the email and web services on the DMZ.

So I set up rules on the DMZ interface so the source is the LAN net, destination is the specific IP on the DMZ and source and destination ports are the specific ports of the service.  I then put these rules ahead of the "reject" and "permit but"  rules in the examples.

Will this work? 

I think another section in the Handbook with a more practical office set-up would make this clear.

Thanks.

Dan

My apologies, I misread your question.

I have mail, web, and ssh servers on my DMZ host. I don't have any special rules in place to allow LAN access to these servers. It just works. Unsolicited traffic from the DMZ into the LAN is blocked however.

Fred,

I thought it should just work, but I have tried everything I can think of and I cannot get through.  I even added an override host in the forwarder.

Anybody more suggestions please!

Thanks.

Dan

You are using the private IP (or a hostname that resolves to it) for the DMZ host and not the WAN IP when you try to connect to the DMZ host, right?

It would be helpful to see your NATs and Firewall rules.

Yes, I am using the private IP on the DMZ, not the WAN IP.


I do not have access to the system right now.  Hopefully, this evening I can post the NAT and Firewall rules and any other specific details.

Thanks for the help.

Dan

The following are my NAT and FW rules.

Thanks.

Dan

NAT

If           Proto    Ext. Port Range   NAT IP
WAN    TCP     25 (SMTP)       192.168.10.2 25 (SMTP)
WAN    TCP     80 (HTTP)       192.168.10.2 80 (HTTP)           
WAN    TCP     110 (POP3)       192.168.10.2 110 (POP3)
WAN    TCP     143 (IMAP)       192.168.10.2 143 (IMAP)
WAN    TCP     443 (HTTPS)       192.168.10.2 443 (HTTPS)
WAN    TCP     465          192.168.10.2 465
WAN    TCP     993          192.168.10.2 993
WAN    TCP     995          192.168.10.2 99


LAN firewall

Rule   Proto      Source         Port      Destination      Port
Pass   *      LAN net       *       *                  *
Pass   TCP       LAN net       *       WAN address       *
Pass   TCP       *                  *       dmz net              *


WAN Firewall

Rule   Proto   Source         Port      Destination      Port
Block   *    RFC 1918 networks    *       *          *
Pass   TCP    *          *       192.168.10.2       25 (SMTP)
Pass   TCP    *          *       192.168.10.2       110 (POP3)
Pass   TCP    *          *       192.168.10.2       143 (IMAP)
Pass   TCP    *          *       192.168.10.2       993
Pass   TCP    *          *       192.168.10.2       465
Pass   TCP    *          *       192.168.10.2       995
Pass    TCP    *          *       192.168.10.2       80 (HTTP)
Pass   TCP    *          *       192.168.10.2       443 (HTTPS)

DMZ Firewall
   
Rule   Proto   Source         Port      Destination      Port
Pass   TCP    LAN net       25 (SMTP)    192.168.0.2       25 (SMTP)
Pass   TCP    LAN net       110 (POP3)    192.168.0.2       110 (POP3)
Pass   TCP    LAN net       143 (IMAP)    192.168.0.2       143 (IMAP)
Pass   TCP    LAN net       993               192.168.0.2       993
Pass   TCP    LAN net       465               192.168.0.2       465
Pass   TCP    LAN net       995               192.168.0.2       995
Pass   TCP    LAN net       80 (HTTP)    192.168.0.2       80 (HTTP)
Pass   TCP    LAN net       443 (HTTPS)     192.168.0.2       443 (HTTPS)
Block   *    *          *               LAN net               *
Pass   *    dmz net       *               ! LAN net               *
     

All  of the DMZ Firewall rules except for the last two are not needed, wrong anyway, and should be removed. They are likely the primary source of your problems.

One thing to keep in mind when writing rules: If you specify a source port other than *, in almost all cases this is a mistake and will cause failures.

The last two of the LAN Firewall rules are also not needed and should be removed.

Try that and get back to us.

Fred,

Thanks for the info.


The DMZ firewall rules I added after I read your first post and as a last resort.  That configuration was not tested.  I will remove them.

Since the LAN Rules are not needed, they could possibly be the problem.  I will remove them and give it a try and report back today/tonight.

Dan

 

Fred,

I did as you suggested and still had trouble getting it to work.  I had tried the IP directly earlier and could not get it to work, but I tried it again and this time it worked.  But I still could not get it with the server name despite telling the m0n0wall to by pass the firewall DNS cache.  So I figured it must be in the server DNS.  I fixed that and I restated the m0n0wall device to ensure the cache was cleared. 

All came up and worked.  I have some fine tuning all all systems, but this par of m0n0wall is working fine. 

Now I have to start working on VPN.

Thank you for all you help Fred!

Dan

You're welcome. Enjoy.