News: This forum is now permanently frozen.
linktree m0n0wall Forum  >  m0n0wall Support (English)  >  Firewall/NAT
linktree Topic: Mapping multiple WAN IPs to dedicated LAN IPs
Pages: [1]
Topic: Mapping multiple WAN IPs to dedicated LAN IPs  (Read 2183 times)
« on: August 31, 2011, 01:23:41 »
swalker *
Posts: 3
As a M0n0wall newbie, I am having difficulty accessing (or even pinging) a newly activated VM in a working M0n0wall installation.

Our ISP provides us with three static WAN IP addresses xxx.xxx.xxx.18, xxx.xxx.xxx.19 & xxx.xxx.xxx.20.  The first (xxx.xxx.xxx.18/29) is configured as the Static M0n0wall WAN IP address with xxx.xxx.xxx.17 configured as the gateway.  Our VM Exchange 2010 mail server has been operating properly behind the firewall for a year with the MX record pointing to the xxx.xxx.xxx.18 address with Firewall Rules in place directing activity for ports 25, 110, 443, 6001-6004, 3389 & 80 to the private LAN address of the mail server.

We are now activating the VM web server and it is running & serving pages when accessed from within the LAN.  Since the mail server uses port 80 for OWA and we have two spare WAN addresses, the plan is to direct web traffic to xxx.xxx.xxx.19.

I have added a NAT 1:1 entry for the xxx.xxx.xxx.19 external address, associating it with the yy.yy.yy.12 private LAN address of the web server and checked the box to auto-add a proxy ARP entry to this interface.  I have also added the following Firewall Rules:

Proto       Source               Port            Destination      Port            Description
TCP          xxx.xxx.xxx.19  80 (HTTP)    yy.yy.yy.12      80 (HTTP)    WWW to WEB
ICMP        *                       *                 WAN address  *                  Enable Ping

I can nether ping nor access this web server from outside the LAN.  What am I overlooking?

Thanks,
Steve
« Reply #1 on: August 31, 2011, 02:10:04 »
Fred Grayson *****
Posts: 994
99.99% of the times when a firewall rule specifies a TCP Source Port it's a mistake and will not work as desired.

Change the Source Port to 'any' and see what happens.
--
Google is your friend and Bob's your uncle.
« Reply #2 on: August 31, 2011, 02:16:59 »
swalker *
Posts: 3
Fred:

Thanks for the info.   I changed the Firewall Rules as you suggested, removing the port restrictions) and I still not successfully ping the xxx.xxx.xxx.19 address.

Proto       Source               Port            Destination      Port            Description
TCP          xxx.xxx.xxx.19  *                 yy.yy.yy.12      80 (HTTP)    WWW to WEB
ICMP        *                       *                 WAN address  *                  Enable Ping
« Reply #3 on: August 31, 2011, 02:24:25 »
Fred Grayson *****
Posts: 994
Did the change enable access to web server?
--
Google is your friend and Bob's your uncle.
« Reply #4 on: August 31, 2011, 02:26:34 »
swalker *
Posts: 3
Unfortunately, no.
 
Pages: [1]
 
 
Powered by SMF 1.1.20 | SMF © 2013, Simple Machines