Firewall/NAT

Please see the attached file for a visual representation of what I am trying to do.

I promise I would try to figure this out through reading and self teaching but it's been two weeks of trying to get this to work. I am just trying to get a virtual multi-site network running so I can test AD, DNS, and primarily SCCM multi-site communication across a virtual WAN via dummycloud. I am hoping somebody has an easy explanation for the way I need to open communication between my subnets. Here's how I want the communication to work (for purposes of network throttling between subnets).


192.168.5.0/24 (LAN) on monowall routes to 192.168.3.200 (WAN) on monowall to 192.168.3.100 (LAN) on DummyCloud to 192.168.2.100 (LAN) on DummyCloud to 192.168.2.100 (WAN) on Monowall to 192.168.4.0/24 (LAN) on Monowall. I want the same communication to travel back the other direction.

To come as close to a real network as possible I would like to open the typical ports for AD, DNS, SCCM, Exchange and can lookup the ports for that. I just don't know how to go about allowing that type of communication. I also need validation that this is actually possible. I might be overly ambitious and if so that's fine but somebody needs to tell me that.

If anybody can give me some example static route entries and then some assistance w/ the firewall rule entries or perhaps inbound NAT works for this?

Here's an example of things i've tried to allow traffic on Tulsa but so far I can't even ping it from the DummyCloud to the WAN interface (192.168.3.200)

Proto Source Port Destination Port Description 
   TCP/UDP  *  *  192.168.5.0  1 - 65535  NAT     
 
 
   TCP/UDP  192.168.3.0/24  *  WAN address  * 

With regard to routing...

I'm not seeing routing tables anywhere, I can look harder but let me know if they aren't available. I'm assuming m0n0wall knows how to route from the WAN to LAN. If that's not correct please let me know.   

Since you're using all private IPs for the WAN interfaces, have you unchecked the box on the WAN page to block private addresses? If this is still checked, you won't pass any traffic through the WAN interface no matter what rules you set up.

Since you're using all private IPs for the WAN interfaces, have you unchecked the box on the WAN page to block private addresses? If this is still checked, you won't pass any traffic through the WAN interface no matter what rules you set up.

that checkbox is unchecked on both m0n0walls

To add some context to why I want the m0n0wall...

With the dummycloud used by itself I was getting DHCP leakage onto the computers connected to different interfaces. VMnet 1,2,3 are all bridged in network configuration manager of VMware. They're physically connected NIC's to a flat switch.

To try to simplify what I need, I want communication between the two sites without the DHCP leakage. I am guessing it's simple but i'm more of a systems guy than network. I originally tried Microsoft RRAS w/ NAT & RIP. With NAT disabled both sites could talk to each other but couldn't access the internet. NAT enabled provided internet but cut communication between sites. I didn't see an easy way to allow communication from different subnets and it looked like m0n0wall's inbound NAT rules might be perfect. Am I wrong? I realize m0n0wall isn't meant to handle a lot of routing but I only have two internal subnets trying to talk to each other over the dummycloud so i'm assuming static routes are sufficient.

If I use 1 Monowall with 3 interfaces could I avoid the DHCP leakage and communicate between datacenters without firewall / NAT blocking communication?

1 - 192.168.1.200 (WAN) 192.168.1.100 (Gateway)
2. 192.168.2.200 (VMnet2) - VLAN1 - Springfield Datacenter uses 192.168.3.200 for gateway
3. 192.168.3.200 (VMnet3) - VLAN2 - Tulsa Datacenter uses 192.168.2.200 for gateway

With this I think I could eliminate the 192.168.4.0/24 and 192.168.5.0/24 subnets. My only concern is how to keep dhcp from being passed from one interface to the other.

I'm testing the traffic shaper coupled w/ one m0n0wall & 2 VLANS for each "site" and it looks like I can eliminate the dummycloud.

I'll post the finished product but so far I probably don't need any assistance. Sorry for thinking aloud here. Hopefully somebody can use what I did.

I only have one question now...

with the rules below, will DHCP from my Windows Servers leak from LAN to OPT1 and vise versa? If so I am guessing the easiest way to avoid it will be through using DHCP on the m0n0wall instead?

LAN
    Proto Source Port Destination Port Description 
   *  LAN net  *  *  *  Default LAN -> any     
 
 
   *  OPT1 net  *  LAN net  *  Default LAN -> any   

and

OPT1 
    Proto Source Port Destination Port Description 
   *  LAN net  *  OPT1 net  *       
 
 
   *  OPT1 net  *  *  *
 



 

Here's what I've come up with. So far so good but I haven't tested the DHCP stuff yet.