Firewall/NAT

Hi,

Me and my team are sitting in a client's office. We're trying to setup our m0n0 that works like the following:

Interfaces:

• rl0 - WAN - Uplink to 3G modem for our internet access. Set to DHCP as the modem itself is a router with DHCP running.
• rl1 - LAN - Our network. Interface set to 192.168.1.1 and DHCP is enabled on this interface.
• rl2 - OPT1/DMZ - Link to client's intranet network. No DHCP services enabled on client's network, we have set our IP address to 10.198.250.151 and I also manually added a <spoofmac> tag because the client's switch will only accept packets for combinations of a specific IP and MAC address only. By design, I want to be able to route packets to all class A private network addresses through rl2.

Interface config looks like this:

   <interfaces>
      <lan>
         <if>rl1</if>
         <ipaddr>192.168.1.1</ipaddr>
         <subnet>24</subnet>
         <media/>
         <mediaopt/>
      </lan>
      <wan>
         <if>rl0</if>
         <media/>
         <mediaopt/>
         <spoofmac/>
         <ipaddr>dhcp</ipaddr>
         <dhcphostname/>
      </wan>
      <opt1>
         <if>rl2</if>
         <descr>DMZ</descr>
         <ipaddr>10.198.250.151</ipaddr>
         <spoofmac>00:1E:EC:72:ED:92</spoofmac>
         <subnet>16</subnet>
         <bridge/>
         <enable/>
      </opt1>
   </interfaces>

The static route looks like this:

   <staticroutes>
      <route>
         <interface>lan</interface>
         <network>10.0.0.0/8</network>
         <gateway>10.198.250.151</gateway>
         <descr>Route to client network</descr>
      </route>
   </staticroutes>


My problems right now:

• I added a static route for 10.0.0.0/8 on LAN to route to 10.198.250.151. But nothing is being routed to the client network interface. Am I missing anything here?
• After I'm done with this, I will need to add one more feature. I need enable the VPN server and have it listening on the DMZ. The reason is 'cos somewhere on another floor, we have another team with a router. We want to establish a VPN between our two routers so that they can use our 3G line out. Is this possible?

Thanks for any answers!
Wong

OK, after I added a couple of NAT rules to the DMZ interface, I've verified that inbound traffic from my client's network can hit m0n0 and also route through my servers sitting behind the LAN interface (with appropriate NAT and firewall rules put in place).

But I still can't get outbound traffic from my LAN to go into the DMZ network for some reason.

      <route>
         <interface>lan</interface>
         <network>10.0.0.0/8</network>
         <gateway>10.198.250.151</gateway>
         <descr>Route to client network</descr>
      </route>

With this route, I'm hoping that request to 10.x.x.x will be routed through the DMZ network.

Thanks,
Wong

[internet]
      |
      |rl0 x.y.z.k/p
[m0n0]rl2--------------------10.198.250.151/16-----------------[switch]
      |rl1 192.168.1.1/24
      |
[switch]

routing table
----
x.y.z.k/p dev rl0
192.168.1.0/24 dev rl1
10.198.0.0/16 dev rl2
default via x.y.z.m dev rl0
----

Let's assume that all traffic is allowed.

if You are on the network 192.168.1.0/24 and You want to route traffic through the router You must have 192.168.1.1 set as Your default gateway.
If You are on the network 10.198.0.0/16 and You want to route the traffic through the router You must have 10.198.250.151 set as Your default gateway.

This is needed for successful two way communication.

If the device that we are talking about is on 10.198.0.0/16 has another default gateway, and You want to send packets to 192.168.1.0/24 that is behind the m0n0 router you must add a static route on the device for the subnet 192.168.1.0/24 telling it that it could be reachet through 10.198.250.151.

On the device we are talking about route add -net 192.168.1.0/24 gw 10.198.250.151.

There could be a solution with NAT but I don't think it's the right way.

[internet]
      |
      |rl0 x.y.z.k/p
[m0n0]rl2--------------------10.198.250.151/16-----------------[switch]
      |rl1 192.168.1.1/24
      |
[switch]

routing table
----
x.y.z.k/p dev rl0
192.168.1.0/24 dev rl1
10.198.0.0/16 dev rl2
default via x.y.z.m dev rl0
----

Thank you for drawing this up, yes it looks pretty much accurate

if You are on the network 192.168.1.0/24 and You want to route traffic through the router You must have 192.168.1.1 set as Your default gateway.
If You are on the network 10.198.0.0/16 and You want to route the traffic through the router You must have 10.198.250.151 set as Your default gateway.

I will have users on the 192.168.1.0/24 network but I will not have users on the 10.198.0.0/16 network. All my users are on the 192.168.1.0/24 network. 90% of their outbound traffic will need to be routed through to  rl0 (x.y.z.k), but some of their traffic will need to be routed out through 10.198.0.0/16. For e.g., there may be another server 10.241.50.50 lying behind 10.198.250.151 which my users need to access. As such, what I think I need is a static route to 10.0.0.0/8 that routes through 10.198.250.151. Is my assumption right?

Additional information: if were to replace m0n0 with a normal client PC and connect to my client's network, my PC's IP would be 10.198.250.151 as mentioned above, and my default gateway would be 10.198.0.1.

This is needed for successful two way communication.

If the device that we are talking about is on 10.198.0.0/16 has another default gateway, and You want to send packets to 192.168.1.0/24 that is behind the m0n0 router you must add a static route on the device for the subnet 192.168.1.0/24 telling it that it could be reachet through 10.198.250.151.

On the device we are talking about route add -net 192.168.1.0/24 gw 10.198.250.151.

There could be a solution with NAT but I don't think it's the right way.

No, this is not one of my use cases. All my devices that I need to control are in the 192.168.1.0/24 segment.

Thank you for your input!
Wong

I don't see the need for any static routes here. You just need the correct firewall rules to allow the desired traffic between LAN and DMZ and DMZ and LAN.

Have you looked at the m0n0wall Handbook section on DMZ yet?

http://doc.m0n0.ch/handbook-single/#id11642778

Fred, indeed I thought so too.

The DMZ has stated here doesn't exactly describe my situation though. In most cases, the DMZ is a subnet of servers / devices where their uplink is through m0n0.

However, in my case, I'm attempting to bridge to another network on the DMZ interface. In terms of use scenarios, you can say that I'm actually trying to connect to two WAN interfaces, one default WAN to the internet, and another to my client's network.

As for why I thought that the routing is the problem, I'm basing it on this tracepath output that I'm getting:

feiciet@lespaul:~$ tracepath -n 10.198.250.151
 1:  192.168.1.50                                          0.131ms pmtu 1500
 1:  10.198.250.151                                        0.393ms reached
 1:  10.198.250.151                                        0.383ms reached
     Resume: pmtu 1500 hops 1 back 64

You will see when I tracepath to my DMZ interface, the path goes directly to that interface IP.

However, when I try to trace to an IP that is behind the DMZ:

feicipet@lespaul:~$ tracepath -n 10.198.0.1
 1:  192.168.1.50                                          0.117ms pmtu 1500
 1:  192.168.1.1                                           0.391ms
 1:  192.168.1.1                                           0.377ms
 2:  no reply
 3:  no reply

10.198.0.1 is the next hop from 10.198.250.151, i.e. 10.198.250.151's gateway. If you see the tracepath output, it's like 192.168.1.1 doesn't know where to route the request after itself.

Sorry, really running out of ideas here. Any clues?

Thanks,
Wong

I don't see the need for any static routes here. You just need the correct firewall rules to allow the desired traffic between LAN and DMZ and DMZ and LAN.

Have you looked at the m0n0wall Handbook section on DMZ yet?

http://doc.m0n0.ch/handbook-single/#id11642778

Okay then i think i understood You, try adding outbound NAT selecting the DMZ interface and adding 192.168.1.0/24 as source and * or (10.198.0.0/16) as destination.

I must say i don't know well enough Your network topology but i think, in my opinion, it needs to be normalized and optimized.
It would be better that way.

Јаневски, unfortunately, I've already done that since yesterday, but doesn't seem to work either:

   <nat>
      <advancedoutbound>
         <rule>
            <source>
               <network>192.168.1.0/24</network>
            </source>
            <descr>NAT to client LAN full class A private</descr>
            <target>10.198.250.151</target>
            <interface>opt1</interface>
            <destination>
               <network>10.0.0.0/8</network>
            </destination>
         </rule>
      </advancedoutbound>
   </nat>

The part of the network that is mine is actually pretty simple. The problem is that we are working within the confines of a client site. What we're trying to achieve is an "intranet within an intranet with a backdoor out into the internet (through 3G)". Kind of clandestine, but quite necessary given how much we rely on the internet.

I've pasted my entire current configuration onto Pastebin here: http://pastebin.com/isUPsyS5

Would appreciate very much if anybody can tell me if there's any glaringly wrong there.

Thanks!
Wong

Okay then i think i understood You, try adding outbound NAT selecting the DMZ interface and adding 192.168.1.0/24 as source and * or (10.198.0.0/16) as destination.

I must say i don't know well enough Your network topology but i think, in my opinion, it needs to be normalized and optimized.
It would be better that way.

10.198.250.151/16 is the DMZ interface IP on the m0n0, what's the other device on 10.198.0.0/16 IP?

10.198.250.151/16 is the DMZ interface IP on the m0n0, what's the other device on 10.198.0.0/16 IP?

It can be any device. The entire 10.0.0.0/8 network is our client's network. We are residing on the 10.198.0.0/16 subnet, which is the office LAN. I need to be able to route all 10.0.0.0/8 requests to our gateway on the office LAN, which is 10.198.0.1. From there, I expect the gateway to route correctly the actual endpoint.

To clarify things a bit more: 10.198.250.151 is the IP address I use if I were to plug my laptop into the office LAN. I would configure a static IP of 10.198.250.151 and set my gateway to 10.198.0.1. I am replacing my laptop with m0n0wall and trying to bridge a private intranet (192.168.1.0/24) to my client's network through 10.198.250.151. Traffic is mostly one way. I just need to go from 192.168.1.0/24 to 10.0.0.0/8. I don't expect any traffic inbound from client network into 10.198.250.151 (though ironically, I had actually gotten inbound traffic up and working).

Thanks,
Wong

To further clarify, these are 2 diagrams illustrating the issue.

This is what we have right now if we don't have M0n0wall (attachment Network diagram (As-Is).png). A single laptop connects to the network.

The second diagram (Network diagram (To-Be).png) illustrates what I'm trying to achieve and where our problems are.

Thanks,
wong

I see the config, the NAT should have done the work but only for 10.198.0.0/16...
for each 10.0.0.0/8 sub subnet then i think You'll need to add static routes with gateway 10.198.0.1.
route add -net 10.0.0.0/9 gw 10.198.0.1
route add -net 10.128.0.0/10 gw 10.198.0.1
route add -net 10.192.0.0/14 gw 10.198.0.1
route add -net 10.196.0.0/15 gw 10.198.0.1
route add -net 10.199.0.0/16 gw 10.198.0.1
route add -net 10.200.0.0/13 gw 10.198.0.1
route add -net 10.208.0.0/12 gw 10.198.0.1
route add -net 10.224.0.0/11 gw 10.198.0.1

Leave NAT for WAN, OPT1 on and try adding the chain of routes.

Is ping echo reply on on 10.198.0.1, and if it is could You ping it from 192.168.1.0/24 or from m0n0 web gui?