No feedback

Sorry for my poor english. I have small network, ADSL modem connected to broadband router, which has IP 192.168.2.1. WAN IP of Monowall is 192.168.2.2, and LAN IP 192.168.1.3. I first have NAT on my broadband router which forwards port 3399 to IP 192.168.2.2:3399(WAN of monowall).
Then I have second NAT on Monowall like this (Inbound NAT):
Interface: WAN
External address: Interface address
Protocol: TCP
External port range: from 3399 to 3399
NAT IP: 192.168.1.2 (server to which i want RDC)
Local port: 3389
Description: server Remote Desktop

(3389 is standard port for Remote Desktop)

I click on auto-add firewall rule.

But when i try connect from outside, firewall blocks traffic, this is log entry:
Act Time If Source Destination Proto
 x 20:07:59.391440 WAN 161.53.74.124, port 2158 192.168.2.2, port 3399 TCP

How to pass this traffic?

Did you check the "auto add firewall rule" box when adding the NAT rule? If not, delete your NAT rule and re-add it, check that box before clicking save.

Yes, i did check the box....this is how the rule looks like:
Proto Source Port Destination Port Description 
   TCP  *  *  gandalf  3389  NAT gandalf RDC   

What is that gandalf alias configured as?

192.168.1.2 (Domain Controller)

Do you have block private networks checked on the WAN page? If so, you have to uncheck it for this type of setup.

Yes, it was unchecked. I'm using monowall 1.3b2, is that a problem?

Here's info from status.php:

ipfstat -nio
@1 pass out quick on lo0 all
@2 pass out quick on rl0 proto udp from 192.168.1.3/32 port = bootps to any port = bootpc
@3 pass out quick on rl1 proto udp from any port = bootpc to any port = bootps
@4 pass out quick on rl0 all keep state
@5 pass out quick on rl1 all keep state
@6 block out log quick all
@1 pass in quick on lo0 all
@2 block in log quick from any to any with short
@3 block in log quick from any to any with ipopts
@4 pass in quick on rl0 proto udp from any port = bootpc to 255.255.255.255/32 port = bootps
@5 pass in quick on rl0 proto udp from any port = bootpc to 192.168.1.3/32 port = bootps
@6 block in log quick on rl1 from 192.168.1.0/24 to any
@7 block in log quick on rl1 proto udp from any port = bootps to 192.168.1.0/24 port = bootpc
@8 pass in quick on rl1 proto udp from any port = bootps to any port = bootpc
@9 block in log quick on rl0 from !192.168.1.0/24 to any
@10 skip 1 in proto tcp from any to any flags S/FSRA
@11 block in log quick proto tcp from any to any
@12 block in log quick on rl0 all head 100
@1 pass in quick from 192.168.1.0/24 to 192.168.1.3/32 keep state group 100
@2 pass in quick from 192.168.1.0/24 to any keep state group 100
@13 block in log quick on rl1 all head 200
@14 block in log quick all


last 50 filter log entries
May 10 20:25:48 m0n0wall ipmon[95]: 20:25:48.383095 rl1 @0:13 b 161.53.74.124,1969 -> 192.168.2.2,3399 PR tcp len 20 52 -S IN
May 10 20:25:51 m0n0wall ipmon[95]: 20:25:51.287502 rl1 @0:13 b 161.53.74.124,1969 -> 192.168.2.2,3399 PR tcp len 20 52 -S IN
May 10 20:25:57 m0n0wall ipmon[95]: 20:25:57.322940 rl1 @0:13 b 161.53.74.124,1969 -> 192.168.2.2,3399 PR tcp len 20 52 -S IN
 
Rule 13 is blocking my traffic, i'm not an expert, how can i remove it?

There should be more of ipfstat -nio, is that really everything it's showing?

How are the interfaces assigned, rl0 as LAN, rl1 as WAN?

That's all...yes rl0 LAN...rl1 WAN...Is there a known bug in beta version, should i install stable?
Here is whole status.php:

Interfaces

rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
   options=8<VLAN_MTU>
   inet 192.168.1.3 netmask 0xffffff00 broadcast 192.168.1.255
   ether 00:40:f4:ce:9c:27
   media: Ethernet autoselect (100baseTX <full-duplex>)
   status: active
rl1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
   options=8<VLAN_MTU>
   inet 192.168.2.2 netmask 0xffffff00 broadcast 192.168.2.255
   ether 00:40:f4:bb:1a:f0
   media: Ethernet autoselect (100baseTX <full-duplex>)
   status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
   inet 127.0.0.1 netmask 0xff000000

Routing tables

Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            192.168.2.1        UGS         0   764910    rl1
127.0.0.1          127.0.0.1          UH          0        0    lo0
192.168.1          link#1             UC          0        0    rl0
192.168.1.2        00:19:5b:0f:6a:42  UHLW        1     1473    rl0   1067
192.168.1.3        00:40:f4:ce:9c:27  UHLW        1        3    lo0
192.168.1.11       00:19:d1:4c:d7:f4  UHLW        1     5089    rl0    902
192.168.2          link#2             UC          0        0    rl1
192.168.2.1        00:13:f7:26:a4:03  UHLW        2     2449    rl1   1094
192.168.2.2        00:40:f4:bb:1a:f0  UHLW        1        3    lo0

ipfw show

ipfw: getsockopt(IP_FW_GET): Protocol not available

ipnat -lv

List of active MAP/Redirect filters:
map rl1 192.168.1.0/24 -> 0.0.0.0/32 proxy port ftp ftp/tcp
map rl1 192.168.1.0/24 -> 0.0.0.0/32 portmap tcp/udp auto
map rl1 192.168.1.0/24 -> 0.0.0.0/32

List of active sessions:
MAP 192.168.1.11    1340  <- -> 192.168.2.2     3876  [88.198.192.178 80]
   age 1412592 use 0 sumd 0xadf/0xadf pr 6 bkt 1045/1046 flags 1
   ifp rl1,rl1 bytes 192/48 pkts 4/1 ipsumd f7
MAP 192.168.1.11    1339  <- -> 192.168.2.2     3875  [88.198.192.178 80]
   age 1412592 use 0 sumd 0xadf/0xadf pr 6 bkt 789/790 flags 1
   ifp rl1,rl1 bytes 192/48 pkts 4/1 ipsumd f7
MAP 192.168.1.11    1338  <- -> 192.168.2.2     3874  [88.198.192.178 80]
   age 1412592 use 0 sumd 0xadf/0xadf pr 6 bkt 533/534 flags 1
   ifp rl1,rl1 bytes 192/48 pkts 4/1 ipsumd f7
MAP 192.168.1.11    1337  <- -> 192.168.2.2     3873  [88.198.192.178 80]
   age 1412592 use 0 sumd 0xadf/0xadf pr 6 bkt 277/278 flags 1
   ifp rl1,rl1 bytes 192/48 pkts 4/1 ipsumd f7
MAP 192.168.1.11    1336  <- -> 192.168.2.2     3872  [209.85.129.165 80]
   age 1430108 use 0 sumd 0xadf/0xadf pr 6 bkt 857/858 flags 1
   ifp rl1,rl1 bytes 4084/1576 pkts 7/7 ipsumd f7
MAP 192.168.1.11    1335  <- -> 192.168.2.2     3871  [209.85.129.165 80]
   age 1430099 use 0 sumd 0xadf/0xadf pr 6 bkt 601/602 flags 1
   ifp rl1,rl1 bytes 11338/3068 pkts 15/12 ipsumd f7
MAP 192.168.1.11    1334  <- -> 192.168.2.2     3870  [88.198.192.178 80]
   age 1430112 use 0 sumd 0xadf/0xadf pr 6 bkt 1556/1557 flags 1
   ifp rl1,rl1 bytes 9125/24967 pkts 41/47 ipsumd f7
MAP 192.168.1.11    1333  <- -> 192.168.2.2     3869  [88.198.192.178 80]
   age 1430112 use 0 sumd 0xadf/0xadf pr 6 bkt 1300/1301 flags 1
   ifp rl1,rl1 bytes 32430/25852 pkts 58/54 ipsumd f7
MAP 192.168.1.11    1332  <- -> 192.168.2.2     3868  [209.85.137.19 80]
   age 1430190 use 0 sumd 0xadf/0xadf pr 6 bkt 1388/1389 flags 1
   ifp rl1,rl1 bytes 4066/6751 pkts 16/16 ipsumd f7
MAP 192.168.1.11    1331  <- -> 192.168.2.2     3867  [72.14.217.189 80]
   age 1430177 use 0 sumd 0xadf/0xadf pr 6 bkt 2003/2004 flags 1
   ifp rl1,rl1 bytes 9453/3634 pkts 20/15 ipsumd f7
MAP 192.168.1.11    1330  <- -> 192.168.2.2     3866  [72.14.217.189 80]
   age 1412670 use 0 sumd 0xadf/0xadf pr 6 bkt 1747/1748 flags 1
   ifp rl1,rl1 bytes 434/1642 pkts 4/5 ipsumd f7
MAP 192.168.1.11    1329  <- -> 192.168.2.2     3865  [209.85.135.103 80]
   age 1412542 use 0 sumd 0xadf/0xadf pr 6 bkt 1028/1029 flags 1
   ifp rl1,rl1 bytes 44/48 pkts 1/1 ipsumd f7
MAP 192.168.1.11    1328  <- -> 192.168.2.2     3864  [209.85.137.19 80]
   age 1430063 use 0 sumd 0xadf/0xadf pr 6 bkt 364/365 flags 1
   ifp rl1,rl1 bytes 2266/4619 pkts 8/9 ipsumd f7
MAP 192.168.1.11    1327  <- -> 192.168.2.2     3863  [209.85.135.96 443]
   age 1412548 use 0 sumd 0xadf/0xadf pr 6 bkt 1256/1257 flags 1
   ifp rl1,rl1 bytes 4156/1160 pkts 10/10 ipsumd f7
MAP 192.168.1.11    1326  <- -> 192.168.2.2     3862  [72.14.215.97 443]
   age 1412548 use 0 sumd 0xadf/0xadf pr 6 bkt 857/858 flags 1
   ifp rl1,rl1 bytes 8350/2241 pkts 13/12 ipsumd f7
MAP 192.168.1.11    1325  <- -> 192.168.2.2     3861  [209.85.137.19 443]
   age 1412537 use 0 sumd 0xadf/0xadf pr 6 bkt 378/379 flags 1
   ifp rl1,rl1 bytes 3982/3348 pkts 10/12 ipsumd f7
MAP 192.168.1.11    1324  <- -> 192.168.2.2     3860  [209.85.135.103 443]
   age 1412578 use 0 sumd 0xadf/0xadf pr 6 bkt 530/531 flags 1
   ifp rl1,rl1 bytes 10354/5193 pkts 21/19 ipsumd f7
MAP 192.168.1.11    1323  <- -> 192.168.2.2     3859  [209.85.137.19 80]
   age 1412680 use 0 sumd 0xadf/0xadf pr 6 bkt 1131/1132 flags 1
   ifp rl1,rl1 bytes 22125/16554 pkts 39/34 ipsumd f7
MAP 192.168.1.11    1322  <- -> 192.168.2.2     3858  [209.85.137.83 80]
   age 1412657 use 0 sumd 0xadf/0xadf pr 6 bkt 1259/1260 flags 1
   ifp rl1,rl1 bytes 710/438 pkts 3/5 ipsumd f7
MAP 192.168.1.11    1242  <- -> 192.168.2.2     4030  [213.144.186.210 80]
   age 1428710 use 0 sumd 0xbdb/0xbdb pr 6 bkt 1083/61 flags 1
   ifp rl1,rl1 bytes 102303/4163 pkts 74/46 ipsumd f7
MAP 192.168.1.11    1209  <- -> 192.168.2.2     3997  [65.54.152.126 80]
   age 1428370 use 0 sumd 0xbdb/0xbdb pr 6 bkt 57/1082 flags 1
   ifp rl1,rl1 bytes 14143/1459 pkts 12/8 ipsumd f7
MAP 192.168.1.11    1180  <- -> 192.168.2.2     3968  [161.53.74.124 3399]
   age 1430053 use 0 sumd 0xbdb/0xbdb pr 6 bkt 755/1780 flags 1
   ifp rl1,rl1 bytes 407062/117604 pkts 2079/1758 ipsumd f7
MAP 192.168.1.11    1110  <- -> 192.168.2.2     3898  [192.6.234.17 80]
   age 1425727 use 0 sumd 0xbdb/0xbdb pr 6 bkt 630/1655 flags 1
   ifp rl1,rl1 bytes 3032/470 pkts 3/4 ipsumd f7
MAP 192.168.1.11    1106  <- -> 192.168.2.2     3894  [161.114.21.165 80]
   age 1425717 use 0 sumd 0xbdb/0xbdb pr 6 bkt 1518/496 flags 1
   ifp rl1,rl1 bytes 4696/679 pkts 10/6 ipsumd f7
MAP 192.168.1.11    1090  <- -> 192.168.2.2     3878  [213.200.98.30 80]
   age 1425677 use 0 sumd 0xbdb/0xbdb pr 6 bkt 1911/889 flags 1
   ifp rl1,rl1 bytes 2173/799 pkts 4/4 ipsumd f7

List of active host mappings:
192.168.1.11,88.198.192.178 -> 0.0.0.0 (use = 6 hv = 10)
192.168.1.11,209.85.135.96 -> 0.0.0.0 (use = 1 hv = 254)
192.168.1.11,209.85.137.83 -> 0.0.0.0 (use = 1 hv = 254)
192.168.1.11,209.85.135.103 -> 0.0.0.0 (use = 2 hv = 286)
192.168.1.11,192.6.234.17 -> 0.0.0.0 (use = 1 hv = 331)
192.168.1.11,161.53.74.124 -> 0.0.0.0 (use = 1 hv = 684)
192.168.1.11,213.144.186.210 -> 0.0.0.0 (use = 1 hv = 886)
192.168.1.11,213.200.98.30 -> 0.0.0.0 (use = 1 hv = 927)
192.168.1.11,161.114.21.165 -> 0.0.0.0 (use = 1 hv = 1209)
192.168.1.11,209.85.129.165 -> 0.0.0.0 (use = 2 hv = 1437)
192.168.1.11,72.14.217.189 -> 0.0.0.0 (use = 2 hv = 1530)
192.168.1.11,72.14.215.97 -> 0.0.0.0 (use = 1 hv = 1754)
192.168.1.11,209.85.137.19 -> 0.0.0.0 (use = 4 hv = 1789)
192.168.1.11,65.54.152.126 -> 0.0.0.0 (use = 1 hv = 2030)

ipfstat -v

opts 0x40 name /dev/ipl
bad packets:      in 0   out 0
 IPv6 packets:      in 0 out 0
 input packets:      blocked 587 passed 1891799 nomatch 0 counted 0 short 0
output packets:      blocked 0 passed 1900403 nomatch 0 counted 0 short 0
 input packets logged:   blocked 587 passed 0
output packets logged:   blocked 0 passed 0
 packets logged:   input 0 output 0
 log failures:      input 0 output 0
fragment state(in):   kept 0   lost 0   not fragmented 0
fragment state(out):   kept 0   lost 0   not fragmented 0
packet state(in):   kept 26864   lost 0
packet state(out):   kept 22569   lost 0
ICMP replies:   0   TCP RSTs sent:   0
Invalid source(in):   0
Result cache hits(in):   440   (out):   73
IN Pullups succeeded:   11   failed:   0
OUT Pullups succeeded:   6953   failed:   0
Fastroute successes:   0   failures:   0
TCP cksum fails(in):   0   (out):   0
IPF Ticks:   1412202
Packet log flags set: (0)
   none

ipfstat -nio

@1 pass out quick on lo0 all
@2 pass out quick on rl0 proto udp from 192.168.1.3/32 port = bootps to any port = bootpc
@3 pass out quick on rl1 proto udp from any port = bootpc to any port = bootps
@4 pass out quick on rl0 all keep state
@5 pass out quick on rl1 all keep state
@6 block out log quick all
@1 pass in quick on lo0 all
@2 block in log quick from any to any with short
@3 block in log quick from any to any with ipopts
@4 pass in quick on rl0 proto udp from any port = bootpc to 255.255.255.255/32 port = bootps
@5 pass in quick on rl0 proto udp from any port = bootpc to 192.168.1.3/32 port = bootps
@6 block in log quick on rl1 from 192.168.1.0/24 to any
@7 block in log quick on rl1 proto udp from any port = bootps to 192.168.1.0/24 port = bootpc
@8 pass in quick on rl1 proto udp from any port = bootps to any port = bootpc
@9 block in log quick on rl0 from !192.168.1.0/24 to any
@10 skip 1 in proto tcp from any to any flags S/FSRA
@11 block in log quick proto tcp from any to any
@12 block in log quick on rl0 all head 100
@1 pass in quick from 192.168.1.0/24 to 192.168.1.3/32 keep state group 100
@2 pass in quick from 192.168.1.0/24 to any keep state group 100
@13 block in log quick on rl1 all head 200
@14 block in log quick all

unparsed ipnat rules

map rl1 192.168.1.0/24  -> 0/32 proxy port ftp ftp/tcp
map rl1 192.168.1.0/24  -> 0/32 portmap tcp/udp auto
map rl1 192.168.1.0/24  -> 0/32
rdr rl1 0/0 port 3399 -> 192.168.1.2 port 3389 tcp

unparsed ipfilter rules

# loopback
pass in quick on lo0 all
pass out quick on lo0 all

# block short packets
block in log quick all with short

# block IP options
block in log quick all with ipopts

# allow access to DHCP server on LAN
pass in quick on rl0 proto udp from any port = 68 to 255.255.255.255 port = 67
pass in quick on rl0 proto udp from any port = 68 to 192.168.1.3 port = 67
pass out quick on rl0 proto udp from 192.168.1.3 port = 67 to any port = 68

# WAN spoof check
block in log quick on rl1 from 192.168.1.0/24 to any

# allow our DHCP client out to the WAN
# XXX - should be more restrictive
# (not possible at the moment - need 'me' like in ipfw)
pass out quick on rl1 proto udp from any port = 68 to any port = 67
block in log quick on rl1 proto udp from any port = 67 to 192.168.1.0/24 port = 68
pass in quick on rl1 proto udp from any port = 67 to any port = 68

# LAN/OPT spoof check (needs to be after DHCP because of broadcast addresses)
block in log quick on rl0 from ! 192.168.1.0/24 to any

# Block TCP packets that do not mark the start of a connection
skip 1 in proto tcp all flags S/SAFR
block in log quick proto tcp all

#---------------------------------------------------------------------------
# group head 100 - LAN interface
#---------------------------------------------------------------------------
block in log quick on rl0 all head 100

# let out anything from the firewall host itself and decrypted IPsec traffic
pass out quick on rl0 all keep state

#---------------------------------------------------------------------------
# group head 200 - WAN interface
#---------------------------------------------------------------------------
block in log quick on rl1 all head 200

# let out anything from the firewall host itself and decrypted IPsec traffic
pass out quick on rl1 all keep state

# make sure the user cannot lock himself out of the webGUI
pass in quick from 192.168.1.0/24 to 192.168.1.3 keep state group 100

# User-defined rules follow
pass in quick proto tcp from any to 192.168.1.2 port = 3389 keep state group 200
pass in quick from 192.168.1.0/24 to any keep state group 100
   
#---------------------------------------------------------------------------
# default rules (just to be sure)
#---------------------------------------------------------------------------
block in log quick all
block out log quick all

unparsed ipfw rules

add 50000 set 4 pass all from 192.168.1.3 to any
add 50001 set 4 pass all from any to 192.168.1.3

resolv.conf

domain toga
nameserver 192.168.1.1
nameserver 192.168.1.2
nameserver 195.29.150.3

Processes

USER     PID %CPU %MEM   VSZ   RSS  TT  STAT STARTED      TIME COMMAND
root      10 98.8  0.0     0     8  ??  RL    2May07 11736:36.06 [idle]
root   10673  4.0  1.9  7408  6920  ??  SN    8:27PM   0:00.43 /usr/local/bin/php status.php
root       0  0.0  0.0     0     0  ??  WLs   2May07   0:00.00 [swapper]
root       1  0.0  0.2  1420   876  ??  ILs   2May07   0:00.16 /sbin/init --
root       2  0.0  0.0     0     8  ??  DL    2May07   1:00.82 [g_event]
root       3  0.0  0.0     0     8  ??  DL    2May07   0:35.02 [g_up]
root       4  0.0  0.0     0     8  ??  DL    2May07   0:46.54 [g_down]
root       5  0.0  0.0     0     8  ??  DL    2May07   0:00.00 [crypto]
root       6  0.0  0.0     0     8  ??  DL    2May07   0:00.00 [crypto returns]
root       7  0.0  0.0     0     8  ??  DL    2May07   0:00.00 [kqueue taskq]
root       8  0.0  0.0     0     8  ??  DL    2May07   0:00.00 [thread taskq]
root       9  0.0  0.0     0     8  ??  DL    2May07   0:05.42 [fdc0]
root      11  0.0  0.0     0     8  ??  WL    2May07   3:21.55 [swi1: net]
root      12  0.0  0.0     0     8  ??  WL    2May07  13:01.23 [swi4: clock sio]
root      13  0.0  0.0     0     8  ??  WL    2May07   0:00.00 [swi3: vm]
root      14  0.0  0.0     0     8  ??  DL    2May07   1:01.51 [yarrow]
root      15  0.0  0.0     0     8  ??  WL    2May07   0:00.00 [swi2: cambio]
root      16  0.0  0.0     0     8  ??  WL    2May07   0:00.00 [swi5: +]
root      17  0.0  0.0     0     8  ??  WL    2May07   0:00.00 [swi6: Giant taskq]
root      18  0.0  0.0     0     8  ??  WL    2May07   0:00.09 [swi6: task queue]
root      19  0.0  0.0     0     8  ??  WL    2May07   0:00.54 [irq14: ata0]
root      20  0.0  0.0     0     8  ??  WL    2May07   0:00.00 [irq15: ata1]
root      21  0.0  0.0     0     8  ??  WL    2May07   1:01.44 [irq11: rl1 uhci0]
root      22  0.0  0.0     0     8  ??  DL    2May07   0:00.13 [usb0]
root      23  0.0  0.0     0     8  ??  DL    2May07   0:00.00 [usbtask]
root      24  0.0  0.0     0     8  ??  WL    2May07   0:32.69 [irq12: rl0]
root      25  0.0  0.0     0     8  ??  WL    2May07   0:00.00 [irq1: atkbd0]
root      26  0.0  0.0     0     8  ??  WL    2May07   0:00.00 [swi0: sio]
root      27  0.0  0.0     0     8  ??  DL    2May07   0:01.69 [md0]
root      28  0.0  0.0     0     8  ??  DL    2May07   0:01.16 [pagedaemon]
root      29  0.0  0.0     0     8  ??  DL    2May07   0:01.47 [idlepoll]
root      30  0.0  0.0     0     8  ??  DL    2May07   0:39.08 [pagezero]
root      31  0.0  0.0     0     8  ??  DL    2May07   0:05.87 [bufdaemon]
root      32  0.0  0.0     0     8  ??  DL    2May07   0:05.40 [vnlru]
root      33  0.0  0.0     0     8  ??  DL    2May07   0:13.15 [syncer]
root      34  0.0  0.0     0     8  ??  DL    2May07   0:05.00 [softdepflush]
root      35  0.0  0.0     0     8  ??  DL    2May07   0:40.31 [schedcpu]
root      95  0.0  0.4  1888  1448  ??  Ss    2May07   0:28.21 /sbin/ipmon -sD
root     100  0.0  0.3  1372   968  ??  Is    2May07   0:02.93 /usr/sbin/syslogd -ss
root     103  0.0  0.4  2588  1668  ??  Ss    2May07   0:01.70 /usr/local/sbin/mini_httpd -c **.php|**.cgi -u root -maxproc 16 -i /var/run/mini_httpd.pid
root     127  0.0  0.3  1684  1188  ??  I     2May07   0:00.02 /bin/sh /etc/rc.initial console
nobody  1008  0.0  0.3  1400  1108  ??  IN    3May07   0:04.34 /usr/local/sbin/dnsmasq -l /var/db/dhcpd.leases -s toga
root    1013  0.0  0.5  2232  1844  ??  INs   3May07   0:00.56 /usr/local/sbin/dhcpd -cf /var/etc/dhcpd.conf rl0
root    1027  0.0  0.3  1684  1160  ??  IN    3May07   0:09.26 /bin/sh /usr/local/bin/runmsntp.sh /var/run/runmsntp.pid /var/run/msntp.pid 300  pool.ntp.org
root    9172  0.0  0.3  1456  1092  ??  IN   Fri04PM   0:00.18 /usr/local/bin/msntp -r -P no -l /var/run/msntp.pid -x 300 pool.ntp.org
root   10674  0.0  0.5  2588  1720  ??  S     8:27PM   0:00.02 /usr/local/sbin/mini_httpd -c **.php|**.cgi -u root -maxproc 16 -i /var/run/mini_httpd.pid
root   10694  0.0  0.3  1684  1196  ??  SN    8:27PM   0:00.01 sh -c ps xauww 2>&1
root   10695  0.0  0.2  1432   920  ??  RN    8:27PM   0:00.01 ps xauww

dhcpd.conf

option domain-name "toga";
default-lease-time 7200;
max-lease-time 86400;
authoritative;
log-facility local7;
ddns-update-style none;
subnet 192.168.1.0 netmask 255.255.255.0 {
   pool {
      range 192.168.1.30 192.168.1.100;
   }
   option routers 192.168.1.3;
   option domain-name-servers 192.168.1.3;
   option netbios-name-servers 192.168.1.2;
   option netbios-node-type 8;
}
host s_lan_0 {
   hardware ethernet 00:19:D1:4C:D7:F4;
   fixed-address 192.168.1.11;
}
host s_lan_1 {
   hardware ethernet 00:19:5B:0F:6F:C3;
   fixed-address 192.168.1.12;
}

ez-ipupdate.cache

cat: /conf/ez-ipupdate.cache: No such file or directory

df

Filesystem 512-blocks  Used Avail Capacity  Mounted on
/dev/md0        25566 23928  1638    94%    /
devfs               2     2     0   100%    /dev
/dev/ad0a       19662 15956  3706    81%    /cf

racoon.conf

cat: /var/etc/racoon.conf: No such file or directory

SPD

No SPD entries.

SAD

No SAD entries.

last 200 system log entries

May  4 11:54:39 m0n0wall dnsmasq[1008]: reading /var/db/dhcpd.leases
May  4 11:57:21 m0n0wall dnsmasq[1008]: reading /var/db/dhcpd.leases
May  4 12:58:23 m0n0wall dnsmasq[1008]: reading /var/db/dhcpd.leases
May  4 13:54:44 m0n0wall dnsmasq[1008]: reading /var/db/dhcpd.leases
May  4 14:59:49 m0n0wall dnsmasq[1008]: reading /var/db/dhcpd.leases
May  4 17:15:24 m0n0wall dnsmasq[1008]: reading /var/db/dhcpd.leases
May  7 06:47:57 m0n0wall dnsmasq[1008]: reading /var/db/dhcpd.leases
May  7 07:47:02 m0n0wall dnsmasq[1008]: reading /var/db/dhcpd.leases
May  7 08:46:42 m0n0wall dnsmasq[1008]: reading /var/db/dhcpd.leases
May  7 09:48:01 m0n0wall dnsmasq[1008]: reading /var/db/dhcpd.leases
May  7 10:48:17 m0n0wall dnsmasq[1008]: reading /var/db/dhcpd.leases
May  7 11:47:57 m0n0wall dnsmasq[1008]: reading /var/db/dhcpd.leases
May  7 12:48:17 m0n0wall dnsmasq[1008]: reading /var/db/dhcpd.leases
May  7 13:47:50 m0n0wall dnsmasq[1008]: reading /var/db/dhcpd.leases
May  7 14:48:18 m0n0wall dnsmasq[1008]: reading /var/db/dhcpd.leases
May  7 19:37:23 m0n0wall dnsmasq[1008]: reading /var/db/dhcpd.leases
May  7 19:46:46 m0n0wall last message repeated 2 times
May  7 19:55:00 m0n0wall dnsmasq[1008]: reading /var/db/dhcpd.leases
May  7 20:55:11 m0n0wall dnsmasq[1008]: reading /var/db/dhcpd.leases
May  8 04:58:42 m0n0wall dnsmasq[1008]: reading /var/db/dhcpd.leases
May  8 09:40:33 m0n0wall dnsmasq[1008]: reading /var/db/dhcpd.leases
May  8 10:40:34 m0n0wall dnsmasq[1008]: reading /var/db/dhcpd.leases
May  8 10:50:38 m0n0wall dnsmasq[1008]: reading /var/db/dhcpd.leases
May  8 11:40:34 m0n0wall dnsmasq[1008]: reading /var/db/dhcpd.leases
May  8 12:40:13 m0n0wall dnsmasq[1008]: reading /var/db/dhcpd.leases
May  8 12:50:21 m0n0wall dnsmasq[1008]: reading /var/db/dhcpd.leases
May  8 13:40:41 m0n0wall dnsmasq[1008]: reading /var/db/dhcpd.leases
May  9 05:00:35 m0n0wall dnsmasq[1008]: reading /var/db/dhcpd.leases
May  9 08:04:35 m0n0wall dnsmasq[1008]: reading /var/db/dhcpd.leases
May  9 09:04:48 m0n0wall dnsmasq[1008]: reading /var/db/dhcpd.leases
May  9 10:04:48 m0n0wall dnsmasq[1008]: reading /var/db/dhcpd.leases
May  9 11:04:49 m0n0wall dnsmasq[1008]: reading /var/db/dhcpd.leases
May  9 12:04:33 m0n0wall dnsmasq[1008]: reading /var/db/dhcpd.leases
May  9 13:04:50 m0n0wall dnsmasq[1008]: reading /var/db/dhcpd.leases
May  9 14:04:50 m0n0wall dnsmasq[1008]: reading /var/db/dhcpd.leases
May  9 16:17:10 m0n0wall dnsmasq[1008]: reading /var/db/dhcpd.leases
May 10 06:58:58 m0n0wall dnsmasq[1008]: reading /var/db/dhcpd.leases
May 10 08:00:30 m0n0wall dnsmasq[1008]: reading /var/db/dhcpd.leases
May 10 09:00:00 m0n0wall dnsmasq[1008]: reading /var/db/dhcpd.leases
May 10 10:00:29 m0n0wall dnsmasq[1008]: reading /var/db/dhcpd.leases
May 10 10:59:09 m0n0wall dnsmasq[1008]: reading /var/db/dhcpd.leases
May 10 12:00:35 m0n0wall dnsmasq[1008]: reading /var/db/dhcpd.leases
May 10 13:00:02 m0n0wall dnsmasq[1008]: reading /var/db/dhcpd.leases
May 10 13:58:56 m0n0wall dnsmasq[1008]: reading /var/db/dhcpd.leases
May 10 15:00:02 m0n0wall dnsmasq[1008]: reading /var/db/dhcpd.leases
May 10 19:47:17 m0n0wall dnsmasq[1008]: reading /var/db/dhcpd.leases

last 50 filter log entries

May 10 20:25:48 m0n0wall ipmon[95]: 20:25:48.383095 rl1 @0:13 b 161.53.74.124,1969 -> 192.168.2.2,3399 PR tcp len 20 52 -S IN
May 10 20:25:51 m0n0wall ipmon[95]: 20:25:51.287502 rl1 @0:13 b 161.53.74.124,1969 -> 192.168.2.2,3399 PR tcp len 20 52 -S IN
May 10 20:25:57 m0n0wall ipmon[95]: 20:25:57.322940 rl1 @0:13 b 161.53.74.124,1969 -> 192.168.2.2,3399 PR tcp len 20 52 -S IN

ls /conf

config.xml

ls /var/run

aliases.dirty
dhcpd.pid
dnsmasq.pid
filter.conf.dirty
htpasswd
ipmon.pid
ld-elf.so.hints
log
logpriv
mini_httpd.pid
msntp.pid
nat.conf.dirty
runmsntp.pid
staticmaps.dirty
syslog.pid
sysreboot.reqd
utmp

config.xml

<?xml version="1.0"?>
<m0n0wall>
    <version>1.6</version>
    <lastchange>1178828678</lastchange>
    <system>
        <hostname>m0n0wall</hostname>
        <domain>toga</domain>
        <dnsallowoverride/>
        <username>admin</username>
        <password>xxxxx</password>
        <timezone>Europe/Zagreb</timezone>
        <time-update-interval>300</time-update-interval>
        <timeservers>pool.ntp.org</timeservers>
        <webgui>
            <protocol>https</protocol>
            <port/>
        </webgui>
        <dnsserver>192.168.1.1</dnsserver>
        <dnsserver>192.168.1.2</dnsserver>
        <dnsserver>195.29.150.3</dnsserver>
    </system>
    <interfaces>
        <lan>
            <if>rl0</if>
            <ipaddr>192.168.1.3</ipaddr>
            <subnet>24</subnet>
            <media/>
            <mediaopt/>
        </lan>
        <wan>
            <if>rl1</if>
            <media/>
            <mediaopt/>
            <spoofmac/>
            <ipaddr>192.168.2.2</ipaddr>
            <subnet>24</subnet>
            <gateway>192.168.2.1</gateway>
        </wan>
    </interfaces>
    <staticroutes/>
    <pppoe/>
    <pptp/>
    <bigpond/>
    <dyndns>
        <type>dyndns</type>
        <username/>
        <password/>
        <host/>
        <mx/>
        <server/>
        <port/>
    </dyndns>
    <dnsupdate/>
    <dhcpd>
        <lan>
            <enable/>
            <range>
                <from>192.168.1.30</from>
                <to>192.168.1.100</to>
            </range>
            <defaultleasetime/>
            <maxleasetime/>
            <staticmap>
                <mac>00:19:D1:4C:D7:F4</mac>
                <ipaddr>192.168.1.11</ipaddr>
                <descr>Marijana</descr>
            </staticmap>
            <staticmap>
                <mac>00:19:5B:0F:6F:C3</mac>
                <ipaddr>192.168.1.12</ipaddr>
                <descr>Igor</descr>
            </staticmap>
            <staticmap>
                <mac>00:12:79:c7:01:fd</mac>
                <ipaddr>192.168.1.29</ipaddr>
                <descr>Laptop (Mama)</descr>
            </staticmap>
            <winsserver>192.168.1.2</winsserver>
        </lan>
    </dhcpd>
    <pptpd>
        <mode/>
        <redir/>
        <localip/>
        <remoteip/>
    </pptpd>
    <dnsmasq>
        <enable/>
        <regdhcp/>
    </dnsmasq>
    <snmpd>
        <syslocation/>
        <syscontact/>
        <rocommunity>public</rocommunity>
    </snmpd>
    <diag>
        <ipv6nat>
            <ipaddr/>
        </ipv6nat>
    </diag>
    <bridge/>
    <syslog/>
    <nat>
        <rule>
            <protocol>tcp</protocol>
            <external-port>3399</external-port>
            <target>gandalf</target>
            <local-port>3389</local-port>
            <interface>wan</interface>
            <descr>gandalf RDC</descr>
        </rule>
    </nat>
    <filter>
        <rule>
            <interface>wan</interface>
            <protocol>tcp</protocol>
            <source>
                <any/>
            </source>
            <destination>
                <address>gandalf</address>
                <port>3389</port>
            </destination>
            <descr>NAT gandalf RDC</descr>
        </rule>
        <rule>
            <type>pass</type>
            <interface>lan</interface>
            <source>
                <network>lan</network>
            </source>
            <destination>
                <any/>
            </destination>
            <descr>Default LAN -&gt; any</descr>
        </rule>
    </filter>
    <shaper/>
    <ipsec/>
    <aliases>
        <alias>
            <name>gandalf</name>
            <address>192.168.1.2</address>
            <descr/>
        </alias>
    </aliases>
    <proxyarp/>
    <wol/>
</m0n0wall>

This definitely looks like a bug. Your configuration is fine, but your WAN allow rule for the RDP isn't being added. The traffic is hitting the default rule for traffic not permitted for that reason.

If you downgrade to 1.231 (can use the firmware update page to downgrade and it'll work fine), does it work then? If so, I'll move this to the bug report board and Manuel can take a closer look.

Ok..i will downgrade to 1.231 today or tomorrow and report then...

It's a bug...i've downgraded to 1.231 and everything ok now....thanks for help.

Thanks mtosic!

@Manuel: Looks like a bug in 1.3 with aliases.

I tried to reproduce this today with 1.3b2 and the config.xml from the status.php output above - I only changed the interface names for VMware (and reset the password obviously). Worked fine for me - as you can see from the attached status.php output, the RDP rule was indeed added to the ipfilter ruleset shown by ipfstat.

Sorry, but as it is, I can't do anything about it...