General Questions

First the basics:
Nokia IP330running 1.22
T1 via Speakesy with a Netopia 4622
third interface: Wifi

I've configured the correct static wan ip and am able to ping google.com using the WebGUI.

Heres the last 50 filter entries from status.php:

Code:

May  6 01:27:56 m0n0wall ipmon[92]: 01:27:55.358880 2x fxp1 @0:17 b 66.253.110.98,138 -> 66.253.111.255,138 PR udp len 20 206 IN
May  6 01:27:56 m0n0wall ipmon[92]: 01:27:55.359119 fxp0 @0:12 b 66.253.110.98,138 -> 66.253.111.255,138 PR udp len 20 236 IN
May  6 01:27:56 m0n0wall ipmon[92]: 01:27:55.359134 fxp1 @0:17 b 66.253.110.98,138 -> 66.253.111.255,138 PR udp len 20 236 IN
May  6 01:27:57 m0n0wall ipmon[92]: 01:27:56.942710 fxp1 @0:17 b 207.145.80.171,1033 -> 66.253.110.100,161 PR udp len 20 106 IN
May  6 01:27:57 m0n0wall ipmon[92]: 01:27:57.028303 fxp1 @0:17 b 207.145.80.169,1025 -> 66.253.110.100,161 PR udp len 20 106 IN
May  6 01:28:03 m0n0wall ipmon[92]: 01:28:02.944205 fxp1 @0:17 b 207.145.80.171,1033 -> 66.253.110.100,161 PR udp len 20 106 IN
May  6 01:28:03 m0n0wall ipmon[92]: 01:28:03.029632 fxp1 @0:17 b 207.145.80.169,1025 -> 66.253.110.100,161 PR udp len 20 106 IN
May  6 01:28:08 m0n0wall ipmon[92]: 01:28:07.871885 fxp0 @0:12 b 66.253.110.98,138 -> 66.253.111.255,138 PR udp len 20 229 IN
May  6 01:28:08 m0n0wall ipmon[92]: 01:28:07.871907 fxp1 @0:17 b 66.253.110.98,138 -> 66.253.111.255,138 PR udp len 20 229 IN
May  6 01:28:09 m0n0wall ipmon[92]: 01:28:08.945543 fxp1 @0:17 b 207.145.80.171,1033 -> 66.253.110.100,161 PR udp len 20 106 IN
May  6 01:28:09 m0n0wall ipmon[92]: 01:28:09.025951 fxp1 @0:17 b 207.145.80.169,1025 -> 66.253.110.100,161 PR udp len 20 106 IN
May  6 01:28:55 m0n0wall ipmon[92]: 01:28:55.360948 fxp0 @0:12 b 66.253.110.98,138 -> 66.253.111.255,138 PR udp len 20 236 IN
May  6 01:28:55 m0n0wall ipmon[92]: 01:28:55.360978 fxp1 @0:17 b 66.253.110.98,138 -> 66.253.111.255,138 PR udp len 20 236 IN
May  6 01:29:10 m0n0wall ipmon[92]: 01:29:10.033346 fxp1 @0:17 b 207.145.80.169,1025 -> 66.253.110.100,161 PR udp len 20 106 IN
May  6 01:29:16 m0n0wall ipmon[92]: 01:29:16.029814 fxp1 @0:17 b 207.145.80.169,1025 -> 66.253.110.100,161 PR udp len 20 106 IN
May  6 01:29:22 m0n0wall ipmon[92]: 01:29:22.027200 fxp1 @0:17 b 207.145.80.169,1025 -> 66.253.110.100,161 PR udp len 20 106 IN
May  6 01:29:28 m0n0wall ipmon[92]: 01:29:27.451095 fxp1 @0:15 b 64.233.167.19,443 -> 192.168.1.196,43064 PR tcp len 20 44 -AS IN
May  6 01:29:28 m0n0wall ipmon[92]: 01:29:28.029446 fxp1 @0:17 b 207.145.80.169,1025 -> 66.253.110.100,161 PR udp len 20 106 IN
May  6 01:29:33 m0n0wall ipmon[92]: 01:29:32.970134 fxp1 @0:17 b 207.145.80.171,1033 -> 66.253.110.100,161 PR udp len 20 106 IN
May  6 01:29:40 m0n0wall ipmon[92]: 01:29:39.951833 fxp1 @0:17 b 207.145.80.171,1033 -> 66.253.110.100,161 PR udp len 20 106 IN
May  6 01:29:46 m0n0wall ipmon[92]: 01:29:45.952890 fxp1 @0:17 b 207.145.80.171,1033 -> 66.253.110.100,161 PR udp len 20 106 IN
May  6 01:29:49 m0n0wall ipmon[92]: 01:29:49.360155 fxp1 @0:15 b 72.14.203.93,80 -> 192.168.1.196,43060 PR tcp len 20 44 -AS IN
May  6 01:29:52 m0n0wall ipmon[92]: 01:29:51.949198 fxp1 @0:17 b 207.145.80.171,1033 -> 66.253.110.100,161 PR udp len 20 106 IN
May  6 01:30:05 m0n0wall ipmon[92]: 01:30:04.506450 2x fxp1 @0:17 b 0.0.0.0,68 -> 255.255.255.255,67 PR udp len 20 328 IN
May  6 01:30:07 m0n0wall ipmon[92]: 01:30:07.363013 fxp1 @0:8 b 192.168.1.198,137 -> 192.168.1.255,137 PR udp len 20 96 IN
May  6 01:30:08 m0n0wall ipmon[92]: 01:30:08.112782 fxp1 @0:8 b 192.168.1.198,137 -> 192.168.1.255,137 PR udp len 20 96 IN
May  6 01:30:09 m0n0wall ipmon[92]: 01:30:08.862812 fxp1 @0:8 b 192.168.1.198,137 -> 192.168.1.255,137 PR udp len 20 96 IN
May  6 01:30:10 m0n0wall ipmon[92]: 01:30:09.612833 2x fxp1 @0:8 b 192.168.1.198,137 -> 192.168.1.255,137 PR udp len 20 96 IN
May  6 01:30:11 m0n0wall ipmon[92]: 01:30:11.112873 fxp1 @0:8 b 192.168.1.198,137 -> 192.168.1.255,137 PR udp len 20 96 IN
May  6 01:30:12 m0n0wall ipmon[92]: 01:30:11.862909 fxp1 @0:8 b 192.168.1.198,137 -> 192.168.1.255,137 PR udp len 20 96 IN
May  6 01:30:13 m0n0wall ipmon[92]: 01:30:12.612931 3x fxp1 @0:8 b 192.168.1.198,137 -> 192.168.1.255,137 PR udp len 20 96 IN
May  6 01:30:14 m0n0wall ipmon[92]: 01:30:14.112995 2x fxp1 @0:8 b 192.168.1.198,137 -> 192.168.1.255,137 PR udp len 20 96 IN
May  6 01:30:15 m0n0wall ipmon[92]: 01:30:14.863029 2x fxp1 @0:8 b 192.168.1.198,137 -> 192.168.1.255,137 PR udp len 20 96 IN
May  6 01:30:16 m0n0wall ipmon[92]: 01:30:15.613047 2x fxp1 @0:8 b 192.168.1.198,137 -> 192.168.1.255,137 PR udp len 20 96 IN
May  6 01:30:16 m0n0wall ipmon[92]: 01:30:16.363483 2x fxp1 @0:8 b 192.168.1.198,138 -> 192.168.1.255,138 PR udp len 20 229 IN
May  6 01:30:16 m0n0wall ipmon[92]: 01:30:16.363620 fxp1 @0:8 b 192.168.1.197,138 -> 192.168.1.255,138 PR udp len 20 229 IN
May  6 01:31:51 m0n0wall ipmon[92]: 01:31:50.928518 fxp1 @0:8 b 192.168.1.198,137 -> 192.168.1.255,137 PR udp len 20 78 IN
May  6 01:31:52 m0n0wall ipmon[92]: 01:31:51.678430 2x fxp1 @0:8 b 192.168.1.198,137 -> 192.168.1.255,137 PR udp len 20 78 IN
May  6 01:31:53 m0n0wall ipmon[92]: 01:31:53.046539 fxp1 @0:17 b 71.167.204.152,50941 -> 66.253.110.100,161 PR udp len 20 106 IN
May  6 01:31:54 m0n0wall ipmon[92]: 01:31:54.031125 fxp1 @0:17 b 207.145.80.169,1025 -> 66.253.110.100,161 PR udp len 20 106 IN
May  6 01:32:00 m0n0wall ipmon[92]: 01:32:00.032491 fxp1 @0:17 b 207.145.80.169,1025 -> 66.253.110.100,161 PR udp len 20 106 IN
May  6 01:32:06 m0n0wall ipmon[92]: 01:32:06.028646 fxp1 @0:17 b 207.145.80.169,1025 -> 66.253.110.100,161 PR udp len 20 106 IN
May  6 01:32:27 m0n0wall ipmon[92]: 01:32:27.153692 fxp1 @0:17 b 207.145.80.167,1032 -> 66.253.110.100,161 PR udp len 20 106 IN
May  6 01:32:33 m0n0wall ipmon[92]: 01:32:33.250138 fxp1 @0:17 b 207.145.80.167,1032 -> 66.253.110.100,161 PR udp len 20 106 IN
May  6 01:32:39 m0n0wall ipmon[92]: 01:32:39.246357 fxp1 @0:17 b 207.145.80.167,1032 -> 66.253.110.100,161 PR udp len 20 106 IN
May  6 01:32:45 m0n0wall ipmon[92]: 01:32:45.247643 fxp1 @0:17 b 207.145.80.167,1032 -> 66.253.110.100,161 PR udp len 20 106 IN
May  6 01:32:58 m0n0wall ipmon[92]: 01:32:58.365813 fxp1 @0:15 b 72.14.203.95,80 -> 192.168.1.196,36837 PR tcp len 20 44 -AS IN
May  6 01:32:59 m0n0wall ipmon[92]: 01:32:58.994446 fxp1 @0:17 b 207.145.80.171,1033 -> 66.253.110.100,161 PR udp len 20 106 IN
May  6 01:33:06 m0n0wall ipmon[92]: 01:33:05.965877 fxp1 @0:17 b 207.145.80.171,1033 -> 66.253.110.100,161 PR udp len 20 106 IN
May  6 01:33:07 m0n0wall ipmon[92]: 01:33:07.036572 fxp1 @0:17 b 207.145.80.169,1025 -> 66.253.110.100,161 PR udp len 20 106 IN

I am assuming that these rules are configured on the backend. they are however, blocking traffic for whatever reason.

Any suggestions?


Thanks

They're blocking traffic you haven't permitted from the looks of it. It's SNMP attempts and Windows broadcasts, the former you likely haven't permitted, the latter will always get blocked by a firewall/router (broadcasts don't cross subnets).

@0? Aren't the configured interfaces supposed to show up as @100, @200, etc.?

GlobalFear, have you configured both of your interfaces fully?

Maybe you should print here the section https://monowall.local/status.php#unparsed%20ipfilter%20rules

You should also probably obscure your public IP address from this printout and from your original post so as not to compromise your network any more than necessary.

db

@0:17 is usually the "block everything not permitted" rule.

GlobalFear: If you have a problem, describe it. What you're seeing is expected.

It's set to allow all traffic in the lan portion of the config. Shouldn't be blocking anything.

Sorry for the lack of response. Work has been rather hectic. I'll grab the requested info tomorrow by 7 am.
CMB, will you be around tomorrow on either AIM or MSN? I would really appreciate your help if possible.

The only thing you showed that it's blocking on the LAN side is broadcasts. Broadcasts don't cross subnets, it'll always block those. Everything else was WAN side traffic you hadn't permitted.

I'm available via IM for paying customers only. Email cbuechler@gmail.com for info. Otherwise I post here and to the list when time permits.

Code:

# loopback
pass in quick on lo0 all
pass out quick on lo0 all

# block short packets
block in log quick all with short

# block IP options
block in log quick all with ipopts

# allow access to DHCP server on LAN
pass in quick on fxp0 proto udp from any port = 68 to 255.255.255.255 port = 67
pass in quick on fxp0 proto udp from any port = 68 to 192.168.1.1 port = 67
pass out quick on fxp0 proto udp from 192.168.1.1 port = 67 to any port = 68

# allow access to DHCP server on opt1
pass in quick on fxp2 proto udp from any port = 68 to 255.255.255.255 port = 67
pass in quick on fxp2 proto udp from any port = 68 to 192.168.0.1 port = 67
pass out quick on fxp2 proto udp from 192.168.0.1 port = 67 to any port = 68

# WAN spoof check
block in log quick on fxp1 from 192.168.1.0/24 to any
block in log quick on fxp1 from 192.168.0.0/24 to any

# allow our DHCP client out to the WAN
# XXX - should be more restrictive
# (not possible at the moment - need 'me' like in ipfw)
pass out quick on fxp1 proto udp from any port = 68 to any port = 67
block in log quick on fxp1 proto udp from any port = 67 to 192.168.1.0/24 port = 68
pass in quick on fxp1 proto udp from any port = 67 to any port = 68

# LAN/OPT spoof check (needs to be after DHCP because of broadcast addresses)
block in log quick on fxp0 from ! 192.168.1.0/24 to any
block in log quick on fxp2 from ! 192.168.0.0/24 to any

# Block TCP packets that do not mark the start of a connection
skip 1 in proto tcp all flags S/SAFR
block in log quick proto tcp all

#---------------------------------------------------------------------------
# group head 100 - LAN interface
#---------------------------------------------------------------------------
block in log quick on fxp0 all head 100

# let out anything from the firewall host itself and decrypted IPsec traffic
pass out quick on fxp0 all keep state

#---------------------------------------------------------------------------
# group head 200 - WAN interface
#---------------------------------------------------------------------------
block in log quick on fxp1 all head 200

# let out anything from the firewall host itself and decrypted IPsec traffic
pass out quick on fxp1 all keep state

#---------------------------------------------------------------------------
# group head 300 - opt1 interface
#---------------------------------------------------------------------------
block in log quick on fxp2 all head 300

# let out anything from the firewall host itself and decrypted IPsec traffic
pass out quick on fxp2 all keep state

# make sure the user cannot lock himself out of the webGUI
pass in quick from 192.168.1.0/24 to 192.168.1.1 keep state group 100

# User-defined rules follow
pass in quick from 192.168.0.0/24 to any keep state group 300
pass in quick from any to any keep state group 100
pass in quick from any to any keep state group 200

#---------------------------------------------------------------------------
# default rules (just to be sure)
#---------------------------------------------------------------------------
block in log quick all
block out log quick all

I setup the firewall rules to pass any traffic from any source to any destination. Both as a LAN and a WAN rule.
Can't understand why it is blocking anything.

What specifically are you trying to pass that you can't? There are certain antispoofing rules you may be running into, but only if you have a misconfiguration somewhere.

Well, it is blocking all access to the internet from the lan side.
I'd be satisfied just enabling all traffic for now, tailoring it once everything works.

From what I've seen, it's not blocking anything. Maybe you're having some kind of problem that's not allowing you to get to the Internet, but it's not traffic being blocked.

Did you modify the LAN firewall rules?

Can m0n0wall get out to the Internet? Try to ping google.com from the webGUI.

Does DNS on your LAN work?

As I said in the original post, I can ping google.com from the WebGUI.
I tried entering IP addresses of sites from a PC connected to the lan with no luck.

I only modified the rules from default because traffic couldn't be passed.
I essentially created rules on the LAN and WAN sides passing any traffic.

How are the IP's of your LAN clients configured? DHCP from m0n0wall, or static? If static, are they on the right subnet, have the right subnet mask, have the right gateway, DNS, etc.?

If you have pass all rules, and m0n0wall itself has no problem getting to the Internet, your LAN clients are misconfigured. Possibly IP, subnet, gateway, or DNS.