Firewall/NAT

I am having trouble accessing the a device (192.168.0.100) on the LAN port (192.168.0.X/24) from the "1" net (192.168.1.X/24).  Based on the logs, I am able to reach devices on the LAN net, but I can't get the response back... it is being blocked by the standard rules...

The firewall reports the following...

Jan  2 07:30:12 m0n0wall ipmon[146]: 07:30:11.978815 sis1 @300:3 p 192.168.1.174,37232 -> 192.168.0.100,80 PR tcp len 20 64 -S K-S IN
Jan  2 07:30:12 m0n0wall ipmon[146]: 07:30:11.980842 sis0 @0:40 b 192.168.0.100,80 -> 192.168.1.174,37232 PR tcp len 20 44 -AS IN broadcast

The first packet shows that the request is being sent to the web server, with keep-state.  The response, however, shows it is being blocked by rule 40 (group 0), which is the "block" rule:

# Block TCP packets that do not mark the start of a connection
skip 1 in proto tcp all flags S/SAFR
block in log quick proto tcp all

What I don't understand is how a TCP request can be associated with a broadcast...  and I think this is why it is not passing the rule.

Any ideas on WTF is going on here?

I have created tons of rules to permit 192.168.0.100:80 to be passed, but it always fails on "@0:40".
The device with IP 192.168.0.100 is static.

Thanks,
bd

These are two seperate ip networks given they are /24 and one is 192.168.0 and the other is 192.168.1

Is this intentional ?

That's indeed a bit odd; it shouldn't come up as a broadcast (and as you also suspected, I assume that's why ipfilter doesn't match it against the state table entry that should have been created when the first packet passed the filter).

What IP addresses do you use on your m0n0wall's interfaces? Is there anything that's special about your configuration (optional interfaces, static routes etc.)?

I have LAN (sis0 on soekris 4801) set to 192.168.0.0/24, and OPT1 (sis1) set to 192.168.1.0/24. 

The devices on LAN are connected to a netgear switch, but I get the same results when it is connected directly.
I set the LAN interface to permit traffic from anywhere to anywhere on that port, and I also added rules specifically to allow traffic from OPT1 to the entire LAN as well as the specific IP's (.100), for all protocols.  It doesn't seem to matter, of course, since these rules all come after the internal rules in group 0.

I have one strange static route --

LAN    192.168.10.0/24   ->  192.168.1.254

Since there is a subNAT-ed wifi router that needed it's own subnet, and isn't bridged.  I am not using it in this scenario (although it doesn't work from that subnet, either...)


I am thinking I should reboot the router and see if there is something stuck in the hardware... 

Also, does the "broadcast" in the ipmon line mean what I think it does -- that someone along the way thinks this is a broadcast packet?  If so, is this an ethernet broadcast or higher level?

-bd

Has 192.168.0.100 got the right default gateway or route to 192.168.1.0 ?

Last comment put me onto the answer...  bad edit had the IP address of the LAN set to 192.168.0.0/24!  That causes lots of problems...  thanks for all the help, though -- this is a very good forum!

Cheers!

-bd