Firewall/NAT

Hello M0n0wall users,

I have used M0n0wall without issues for a couple of years with one static public routable ip on the WAN interface.

My isp has now given me 8 static ip's (5 useable)

My problem is that the LAN works fine, as it has always done, but none of the machines in the DMZ now work.

I have followed the handbook to setup 1:1 nat to each DMZ server and essentially disabled the entire firewall but the the DMZ servers still do not work correctly. 

The issue with all my DMZ servers is as follows:

An example of commands that work:

# ping 8.8.8.8
# ping google.com
# dig google.com

An example of commands that do not work:

# yum update
# wget http://mirror.as29550.net/mirror.centos.org/timestamp.txt

My WAN interface is PPPoE (XX.XX.XXX.86/255.255.255.255) - LAN 192.168.24.1/24 - DMZ 192.168.16.1/24. My DMZ servers all have static ips in the 192.168.16.0/24 range.

My 1:1 NAT rules look similar to the following

WAN    XX.XX.XXX.85/32    192.168.16.205/32    rproxy
WAN    XX.XX.XXX.84/32    192.168.16.204/32    www
WAN    XX.XX.XXX.83/32    192.168.16.203/32    smtp

Could anyone please offer some advice on what is wrong?

Your setup looks reasonable, and the fact that ping and UDP queries work indicates that the routing is set up properly. Can you post your (anonymized) config.xml?

I have been playing with the firewall rules so much that i have probably lost track of my original config, but i will post the xml file and i would be gratefull for your advice.

JimmyK

<?xml version="1.0"?>
<m0n0wall>
   <version>1.8</version>
   <lastchange>1298633412</lastchange>
   <system>
      <hostname>firewall</hostname>
      <domain>XXXXXXXXXXXXXXX.co.uk</domain>
      <username>admin</username>
      <password>$1$elaNvQao$wF/.N2fiJ.la3n0b8HfM0/</password>
      <timezone>Etc/Greenwich</timezone>
      <time-update-interval>300</time-update-interval>
      <timeservers>3.m0n0wall.pool.ntp.org</timeservers>
      <webgui>
         <protocol>https</protocol>
         <port/>
      </webgui>
      <dnsserver>212.23.3.100</dnsserver>
      <dnsserver>212.23.6.100</dnsserver>
      <dnsserver>8.8.8.8</dnsserver>
      <dnsallowoverride/>
   </system>
   <interfaces>
      <lan>
         <if>vr0</if>
         <ipaddr>192.168.24.1</ipaddr>
         <subnet>24</subnet>
         <media/>
         <mediaopt/>
      </lan>
      <wan>
         <if>vr1</if>
         <blockpriv/>
         <media/>
         <mediaopt/>
         <spoofmac>00:A0:24:AE:C9:3A</spoofmac>
         <ipaddr>pppoe</ipaddr>
      </wan>
      <opt1>
         <descr>DMZ</descr>
         <if>vr2</if>
         <ipaddr>192.168.16.1</ipaddr>
         <subnet>24</subnet>
         <bridge/>
         <enable/>
      </opt1>
   </interfaces>
   <staticroutes/>
   <pppoe>
      <username>XXXXXXXXXXXX</username>
      <password>XXXXXXXXXX</password>
      <provider/>
      <mtu/>
   </pppoe>
   <pptp/>
   <bigpond/>
   <dyndns>
      <type>dyndns</type>
      <username/>
      <password/>
      <host/>
      <mx/>
      <server/>
      <port/>
   </dyndns>
   <dnsupdate/>
   <dhcpd>
      <lan>
         <range>
            <from>192.168.1.100</from>
            <to>192.168.1.199</to>
         </range>
         <defaultleasetime/>
         <maxleasetime/>
         <next-server/>
         <filename/>
      </lan>
   </dhcpd>
   <pptpd>
      <mode/>
      <nunits>16</nunits>
      <redir/>
      <localip/>
      <remoteip/>
   </pptpd>
   <dnsmasq/>
   <snmpd>
      <syslocation/>
      <syscontact/>
      <rocommunity>public</rocommunity>
      <enable/>
      <bindlan/>
   </snmpd>
   <diag>
      <ipv6nat>
         <ipaddr/>
      </ipv6nat>
   </diag>
   <bridge/>
   <syslog/>
   <nat>
      <rule>
         <protocol>tcp</protocol>
         <external-port>25</external-port>
         <target>192.168.24.254</target>
         <local-port>25</local-port>
         <interface>opt1</interface>
         <descr>DMZ to IMAP mail server</descr>
      </rule>
      <rule>
         <protocol>tcp</protocol>
         <external-port>80</external-port>
         <target>192.168.24.254</target>
         <local-port>80</local-port>
         <interface>opt1</interface>
         <descr>NAT RPROXY TO IMAP</descr>
      </rule>
      <rule>
         <protocol>tcp</protocol>
         <external-port>443</external-port>
         <target>192.168.24.254</target>
         <local-port>443</local-port>
         <interface>opt1</interface>
         <descr>RPROXY TO IMAP https</descr>
      </rule>
      <rule>
         <protocol>tcp</protocol>
         <external-port>8180</external-port>
         <target>192.168.24.254</target>
         <local-port>8180</local-port>
         <interface>opt1</interface>
         <descr>NAT DMZ to 8180 imap server</descr>
      </rule>
      <rule>
         <protocol>tcp</protocol>
         <external-port>8181</external-port>
         <target>192.168.24.254</target>
         <local-port>8181</local-port>
         <interface>opt1</interface>
         <descr>RPROXY TO IMAP 8181</descr>
      </rule>
      <rule>
         <protocol>udp</protocol>
         <external-port>514</external-port>
         <target>192.168.24.254</target>
         <local-port>514</local-port>
         <interface>opt1</interface>
         <descr>RPROXY TO OSSEC PORT 514</descr>
      </rule>
      <rule>
         <protocol>udp</protocol>
         <external-port>1514</external-port>
         <target>192.168.24.254</target>
         <local-port>1514</local-port>
         <interface>opt1</interface>
         <descr>RPROXY TO OSSEC PORT 1514</descr>
      </rule>
      <advancedoutbound>
         <rule>
            <source>
               <network>192.168.16.0/24</network>
            </source>
            <descr>DMZ to WAN</descr>
            <target/>
            <interface>wan</interface>
            <destination>
               <any/>
            </destination>
         </rule>
         <rule>
            <source>
               <network>192.168.24.0/24</network>
            </source>
            <descr>LAN0 to WAN</descr>
            <target/>
            <interface>wan</interface>
            <destination>
               <any/>
            </destination>
         </rule>
         <rule>
            <source>
               <network>192.168.32.0/24</network>
            </source>
            <descr>LAN1 to WAN</descr>
            <target/>
            <interface>wan</interface>
            <destination>
               <any/>
            </destination>
         </rule>
         <rule>
            <source>
               <network>192.168.38.0/24</network>
            </source>
            <descr>LAN2 to WAN</descr>
            <target/>
            <interface>wan</interface>
            <destination>
               <any/>
            </destination>
         </rule>
         <rule>
            <source>
               <network>192.168.40.0/24</network>
            </source>
            <descr>PCI to WAN</descr>
            <target/>
            <interface>wan</interface>
            <destination>
               <any/>
            </destination>
         </rule>
         <rule>
            <source>
               <network>XX.XX.XXX.86/32</network>
            </source>
            <descr>dom0 past WAN inteface outbound</descr>
            <target/>
            <interface>wan</interface>
            <destination>
               <any/>
            </destination>
         </rule>
         <enable/>
      </advancedoutbound>
      <onetoone>
         <external>XX.XX.XXX.86</external>
         <internal>192.168.16.204</internal>
         <subnet>32</subnet>
         <descr>rproxy</descr>
         <interface>wan</interface>
      </onetoone>
   </nat>
   <filter>
      <rule>
         <interface>wan</interface>
         <protocol>tcp</protocol>
         <source>
            <any/>
         </source>
         <destination>
            <address>192.168.16.200</address>
            <port>25</port>
         </destination>
         <descr>NAT NAT allow SMTP to mail server</descr>
         <disabled/>
      </rule>
      <rule>
         <interface>wan</interface>
         <protocol>tcp</protocol>
         <source>
            <any/>
         </source>
         <destination>
            <address>192.168.16.202</address>
            <port>80</port>
         </destination>
         <descr>NAT NAT allow HTTP to web server</descr>
         <disabled/>
      </rule>
      <rule>
         <interface>wan</interface>
         <protocol>tcp</protocol>
         <source>
            <any/>
         </source>
         <destination>
            <address>192.168.16.202</address>
            <port>443</port>
         </destination>
         <descr>NAT NAT allow HTTPS to web server</descr>
         <disabled/>
      </rule>
      <rule>
         <type>pass</type>
         <interface>wan</interface>
         <protocol>tcp</protocol>
         <source>
            <any/>
         </source>
         <destination>
            <address>192.168.16.204</address>
            <port>8180</port>
         </destination>
         <descr>NAT NAT RPROXY TO IMAP</descr>
         <disabled/>
      </rule>
      <rule>
         <type>pass</type>
         <interface>wan</interface>
         <source>
            <address>192.168.16.204</address>
         </source>
         <destination>
            <any/>
         </destination>
         <descr>allow rproxy to any</descr>
      </rule>
      <rule>
         <type>pass</type>
         <interface>wan</interface>
         <source>
            <address>XX.XX.XXX.86</address>
         </source>
         <destination>
            <any/>
         </destination>
         <descr>allow XX.XX.XXX.86 to any</descr>
      </rule>
      <rule>
         <type>pass</type>
         <interface>opt1</interface>
         <protocol>tcp</protocol>
         <source>
            <address>192.168.16.200</address>
         </source>
         <destination>
            <address>192.168.24.254</address>
            <port>25</port>
         </destination>
         <descr>NAT DMZ to IMAP mail server</descr>
         <disabled/>
      </rule>
      <rule>
         <type>pass</type>
         <interface>opt1</interface>
         <protocol>udp</protocol>
         <source>
            <address>192.168.16.204</address>
         </source>
         <destination>
            <address>192.168.24.254</address>
            <port>1514</port>
         </destination>
         <descr>NAT RPROXY TO OSSEC PORT 1514</descr>
         <disabled/>
      </rule>
      <rule>
         <type>pass</type>
         <interface>opt1</interface>
         <protocol>udp</protocol>
         <source>
            <address>192.168.16.200</address>
         </source>
         <destination>
            <address>192.168.24.254</address>
            <port>1514</port>
         </destination>
         <descr>NAT MAIL TO OSSEC PORT 1514</descr>
         <disabled/>
      </rule>
      <rule>
         <type>pass</type>
         <interface>opt1</interface>
         <protocol>tcp</protocol>
         <source>
            <address>192.168.16.204</address>
         </source>
         <destination>
            <address>192.168.24.254</address>
            <port>80</port>
         </destination>
         <descr>NAT DMZ to HTTP imap server</descr>
         <disabled/>
      </rule>
      <rule>
         <type>pass</type>
         <interface>opt1</interface>
         <protocol>tcp</protocol>
         <source>
            <address>192.168.16.204</address>
         </source>
         <destination>
            <address>192.168.24.254</address>
            <port>443</port>
         </destination>
         <descr>NAT RPROXY TO IMAP https</descr>
         <disabled/>
      </rule>
      <rule>
         <type>pass</type>
         <interface>opt1</interface>
         <protocol>tcp</protocol>
         <source>
            <address>192.168.16.204</address>
         </source>
         <destination>
            <address>192.168.24.254</address>
            <port>8180</port>
         </destination>
         <descr>RPROXY TO IMAP</descr>
         <disabled/>
      </rule>
      <rule>
         <type>pass</type>
         <interface>opt1</interface>
         <source>
            <network>opt1</network>
         </source>
         <destination>
            <network>lan</network>
            <not/>
         </destination>
         <descr>permit DMZ to any but LAN</descr>
      </rule>
      <rule>
         <type>pass</type>
         <interface>opt1</interface>
         <source>
            <address>XX.XX.XXX.86</address>
         </source>
         <destination>
            <network>lan</network>
            <not/>
         </destination>
         <descr>allow XX.XX.XXX.86 to any but LAN</descr>
      </rule>
      <rule>
         <type>pass</type>
         <descr>Default LAN -&gt; any</descr>
         <interface>lan</interface>
         <source>
            <network>lan</network>
         </source>
         <destination>
            <any/>
         </destination>
      </rule>
      <rule>
         <type>pass</type>
         <descr>Default IPsec VPN</descr>
         <interface>ipsec</interface>
         <source>
            <any/>
         </source>
         <destination>
            <any/>
         </destination>
      </rule>
      <rule>
         <type>pass</type>
         <interface>opt1</interface>
         <source>
            <address>192.168.16.204</address>
         </source>
         <destination>
            <network>lan</network>
            <not/>
         </destination>
         <descr>allow 192.168.16.204 to any but LAN</descr>
      </rule>
   </filter>
   <shaper/>
   <ipsec/>
   <aliases/>
   <proxyarp/>
   <wol/>
</m0n0wall>

Try deleting the XX.XX.XXX.86/32 advanced outbound NAT rule; there should be no need for it. The 1:1 rule that you have is all you need in terms of NAT for that server.

I have deleted this outbound rule and it has not solved the problem. This rule was added in desperation when nothing else seemed to work.

Do it need any ProxyARP settings. I have tried them but they don't seem to assist plus i have PPPoE on the WAN.

My WAN interface gets the follow ip XX.XX.XXX.86/32 - do you think this is correct?

The static ip's i have recieved are as follows:

XX.XX.XXX.80 - XX.XX.XXX.87 subnet mask 255.255.255.248
router XX.XX.XXX.86/29
slash notation XX.XX.XXX.80 / 29
network address XX.XX.XXX.80
broadcast address XX.XX.XXX.87
5 usable ip's

should the WAN interface receive a XX.XX.XXX.86/29 address or am i talking nonsense!!

JimmyK

The PPPoE ip address and the gateway address are completely different but i can ping the isp gateway.

IPv4 address    XX.XX.XXX.86/255.255.255.255
IPv4 gateway    XX.X.XX.17 

The version of M0n0wall i am running is 1.32

Jimmyk

No need for proxy ARP since your WAN link is PPP. However, it sounds like this is one of those weird setups where they route a /29 to you via PPP, but assign a WAN IP address via IPCP that falls within that /29.

It should still work, but that 1:1 NAT rule for .86 probably does some harm then. I'd suggest only using .86 for normal outbound NAT (for your LAN) and using 1:1 NAT for your DMZ servers on the other available IP addresses.

Try this: delete your whole NAT setup first. Set up 1:1 NAT for your DMZ servers, using the external IPs .81-.85 (actually, you could most likely use .80 and .87 too since you're not using it as an Ethernet subnet and therefore don't have to reserve the subnet/broadcast address). Try if this works. If it does, proceed with adding inbound NAT rules and perhaps advanced outbound NAT if needed.

I initially started with the .85 ip, but then I changed to testing with the .86 router ip as i knew it was working for my LAN machines.

Anyway I followed your advice and basically deleted every firewall and NAT rule on every interface and started again from scratch using the 1:1 nat (based on the .85 ip), the basic advance outbound NAT rules for my LAN, and the DMZ firewall rule to allow anywhere but the LAN.

I then rebooted the pc engines machine and test the DMZ server - which worked as expect straight away following the M0n0wall reboot. I also tested the .80 and .87 ip, which also worked fine as you suggested they would.

I am not sure what was causing this issue, but I did have a lot of pass firewall rules that were toggled to the disabled state, and my feeling is that removing these rule is what solved the problem (although i am not really sure what the problem was).

As i need to add all the firewall rules again i think am going to take the opportunity to use the aliases function.

However, i am unsure about the public ip addresses in relation to the firewall rules. Can I just ignore the public IP addresses and use the aliases/internal ip's? I think I have read somewhere that NAT happens before the firewalls rules so I am assuming that ignoring the public IP address will be ok.

Anyway, thank you for your assistance and for producing M0n0wall. It's one of the best open source projects I have come across - as it is easy to use and once configured it remains operational for months.

JimmyK

I am not sure what was causing this issue, but I did have a lot of pass firewall rules that were toggled to the disabled state, and my feeling is that removing these rule is what solved the problem (although i am not really sure what the problem was).

The 1:1 NAT for .86 was probably conflicting with your (port-based) inbound and outbound NAT, since the latter use the WAN interface's IP address by default (which in your case is .86 too since your ISP assigns it that way).

However, i am unsure about the public ip addresses in relation to the firewall rules. Can I just ignore the public IP addresses and use the aliases/internal ip's? I think I have read somewhere that NAT happens before the firewalls rules so I am assuming that ignoring the public IP address will be ok.

That's correct; you only need to enter the public IP addresses once in the 1:1 NAT. The firewall rules then always use the internal IP addresses of your DMZ servers.

For inbound packets, NAT happens before filtering, and vice versa for outbound packets, so that the filter will always see the private IP addresses for either direction.

Anyway, thank you for your assistance and for producing M0n0wall. It's one of the best open source projects I have come across - as it is easy to use and once configured it remains operational for months.

You're welcome - and thanks for the kind words!