Firewall/NAT

I know there are several topics on this already, and I tried everything that was mentioned in them, but somehow I cannot get traffic working between LAN and OPT1 and OPT2.

I have 192.168.1.0/16 on LAN, and 192.168.2.0/16 on OPT1, and 192.168.3.0/16 op OPT2.
Gateway for each port subnet is 192.168.x.1/16
For the moment I am just trying to reach my NAS which I put on OPT1. It's IP address is 192.168.2.10/16.

I copied the default rule from LAN to OPT1 and OPT2, substituting "LAN net" with "OPT1 net", etc.
Next I added a LAN rule allowing OPT1 to any on any port, and did similar for the OPT1 rule.

Seems to me this should be enough? But I can not ping nor reach the NAS on it's management page/port.
I hooked up my laptop directly to the NAS for changing the IP address so I know it works with 192.168.2.10.

Things I've tried so far is to change "LAN/OPT1 net" to Network and specify the subnet. 192.168.1.0/16 and 192.168.2.0/16, but that didn't work either.

I am running m0n0wall 1.8.0b478 on a Soekris net6501-30, so perhaps I should have posted this in the Beta part of the forums, but I just hope someone give me a direction of where I made a mistake.

192.168.1.0/16, 192.168.2.0/16, and 192.168.3.0/16 are all the same network, and you can't have multiple interfaces in the same machine defining the same network. It's an ambiguous configuration.

Change the netmasks to /24 and that ambiguity problem goes away.

I'd delete the rules you created and start over. It's probably less error prone than trying to fix them, but that's just my opinion.

Ah, now I understand. That worked. I can get to the NAS on the management page, and connect to a machine on it's website in OPT3.

Network browsing does not show the NAS or computer in OPT3, but I got a feeling I need to NAT for that first.

Depending on what you mean by "network browsing" it may just be a matter of having the correct and specific rules in place. However, IIRC, if the "browsing" uses network broadcasts to work, it probably won't work and can't be made to work.

Routers generally don't pass network broadcasts. Bridging interfaces might work, but then you don't need a router with separate network segments to do that, a less expensive switch would be as good.

N.B.:

By "browsing" I mean having computers showing up in "view workgroup computers" in Samba/CIFS environments. The shares themselves can still be reached by using the known IP address.

Yeah, figured that out too now. I can connect to the AFP shares (running Macs here with NAS that only has AFP enabled, not Samba).
I meant having computer showing up as you described as well.

Since I use Time Capsule on the NAS as well, I need the browsing working.
Not having separate networks isn't a big deal to me (home usage) but would have been nice if it worked. Guess I will try bridging again. Did that yesterday, but connections kept being dropped.
Will see what happens this time around.

One of the cool things about being able to browse for me, is that I have screen share enabled on a Mac Mini, and can select it from Finder (the explorer, whatever you want to call it).

I will make a backup just in case, since things are working atm :-)

Bridging doesn't seem to work, unless I messes up again...
I bridged both OPT1 and OPT2 to LAN, but no change at all.
Browsing still isn't working. Can still connect the hard way though.

When you bridged OPT1 and OPT2 to LAN did you also change the IP addresses of the machines plugged into OPT1 and OPT2 to be in the same network as LAN?

I was wondering about that, but I didn't since the OPT1 and OPT2 still had their IP addresses.
What I was expecting to see was that the IP address line would be blocked out from usage, after bridging.

So glad I'm not a network admin for a job :-)

That did it! I can see Boulderdash now (Boulderdash is a very old game on the 8bit Atari, and after which I named my NAS).

Glad you have it sorted out.

Only takes a day or so :-)

What I was expecting to see was that the IP address line would be blocked out from usage, after bridging.

That's odd, perhaps even a cosmetic bug since bridged interfaces are unnumbered. Might be an artifact only of the previous configuration.

I'll be that if you deleted the bridged interfaces, rebooted the unit, and added them back in again as bridged to LAN, you could not assign an IP address to them.

I will try that later and post back here.