Firewall/NAT

Hi there,

I face a strange behaviour of the m0n0wall, maybe you have an idea on it. Let me shortly explain my configuration:

WAN: 212.xxx.121.66

The subnet 212.xxx.121.56/29 is routed to 212.xxx.121.66 via a Cisco before the m0n0wall, so proxy ARP is not needed and not activated. With this subnet I make NAT 1:1 into the DMZ, so that

212.xxx.121.57 -> 172.16.3.2
212.xxx.121.58 -> 172.16.3.3

Traceroute and Ping are allowed thru the DMZ by firewall rules.

If I now traceroute the WAN 212.xxx.121.66 all is okay:

[...]
 3     3 ms     4 ms     4 ms  62.xxx.129.218
 4     4 ms     5 ms     5 ms  212.xxx.224.158
 5     4 ms     5 ms     2 ms  212.xxx.17.6
 6     4 ms     4 ms     4 ms  212.xxx.121.66

But if I traceroute 212.xxx.121.57 or 212.xxx.121.58 the destination hop appears twice:

[...]
  3    92 ms     9 ms    3 ms  62.xxx.129.218
  4     6 ms     3 ms     4 ms  212.xxx.224.158
  5     8 ms     5 ms     5 ms  212.xxx.17.6
  6    13 ms    10 ms   9 ms  212.xxx.121.57
  7     6 ms     6 ms     4 ms  212.xxx.121.57


Do you have any ideas? I couldn’t find any other problems resulting out of this so it might look as a case of cosmetics indeed but even strange.

Best wishes, Uwe

Hi Uwe,

I too have this problem, and like you say 'cosmetic' but also wrong, in my opinion. It is a lie, and I don't understand why this happens, it is though the m0n0wall is not wanting to identify itself as a gateway but that is masquerading and not security.

I will add that this is a problem only with IPv4, the behaviour is correct with IPv6.

My setup is as follows -

I make a PPPoE connection to my ISP via a modem in bridge mode. My ISP provides me with a WAN address nn.nnn.166.61 and also a routed subnet nn.nnn.140.48/28 under IPv4 and native IPv6 /48. I can create my own /64 subnets via their web portal that I then route to me.

I have about 25 devices on my LAN, but only a handful of devices need an internet facing address from the subnet, so for those I use 1:1 NAT with a 10.0.0.0/26 subnet and map the devices that require a public IP address at the start of the range e.g. 10.0.0.1 -> nn.nnn.140.49, 10.0.0.2 -> nn.nnn.140.50 and so on with corresponding firewall rules. I also allow ICMP to all devices.

The other devices are just assigned an IPv4 address from the /26 subnet and their internet facing address is the nn.nnn.166.61 WAN IP.

As for IPv6, I give m0n0wall a 2001.xxxx.xxxx.b7c::1 address and use manual addresses on servers and use RA assigned addresses from the /64 for other devices that can use IPv6.

On my ISPs web portal, I then use A+ reverse and AAAA+ reverse DNS entries to provide lookups to hosts in my domain that use public IPs within the /28 subnet and fixed IPv6 addresses.

This all works perfectly *apart* from the traceroutes to IPv4 hosts with that double entry

e.g. traceroute host.domain


[...]
10  b.gormless.thn.aaisp.net.uk (90.155.53.12)  30.645 ms  27.815 ms  29.413 ms
11  host.domain (nn.nnn.140.53)  40.003 ms  42.592 ms  44.271 ms
12  host.domain (nn.nnn.140.53)  42.279 ms  46.785 ms  39.200 ms


Now using IPv6

traceroute6 host.domain


[...]
 5  b.gormless.thn.aaisp.net.uk  30.097 ms  30.559 ms  30.850 ms
 6  6gw.domain  59.562 ms  45.813 ms  43.497 ms
 7  host.domain  54.740 ms  43.597 ms  43.490 ms


You can see that hop 6 is the m0n0wall where I have assigned the AAAA+ record to its IPv6 LAN address

However under IPv4, you can see hop 11 is actually the m0n0wall and hop 12 is the host.

I wish I knew how to solve this problem. Assigning a public IP from the /28 subnet to the m0n0wall LAN address has no effect on this problem.

Any ideas?