Firewall/NAT

Hello together,

I have a problem to access from the local Lan (Monowall 2) and from the local Lan (Monowall 1) to my WLAN Routers (see pitcture attached).
The green arrow means that this connection is working. The red arrow not.

Now I am not sure if it is a routing problem or a firewall problem.

Thank you!
Spinne84

Hi,

i am not a pro, but i guess with details to the firewall and nat settings would help to find the problem. in addition also over what ip and port you would like to reach the wlan-router. also details about the subnets would be nice. can you include them in the pic? espessialy the settings from m0n02.

like

Code:

                                                 wlan
                                              195....3/24
                                              195....1/24
client                    mono1                    mono2             client
192....3/24          193....1/24           194....1/24       194....3/24

ok not quite good and complete, just that you get what i mean....



cheers
Fliege84 

The problem is most likely the firewall, as I believe m0n0wall handles the routing of IPsec tunnels automatically.

IPsec connections have their own firewall tab besides LAN/WAN - have you allowed the appropriate IP addresses through?

Thank you for the fast answers! Also to Fliege84!  

Please find attached the rules from the "Monowall 2".


                                                                             wlan
                                                                             172.16.10.15/24
                                                                             172.16.10.240/24
client                             mono1                              mono2                           client
192.168.12.3/24          192.168.12.230/24           192.168.10.240/24       192.168.10.3/24

Thank you for your help!!!

i guess
wlan
172.166.10.15/24

is a typo.

i also guess you crossposted wirth iridris. well he is right. since you come over ipsec you need to configure there. but from lan it should work. what do you get if you trace from lan (192.168.10.3/24) to wlan ( 172.166.10.15/24)? i guess when you ping you gad a bad reply from m0n02...

if you have ssh enabled, what happens if you do it from the shell of the m0n0? (well i use pfsense, so i am not sure if it is the same with it's father m0n0...), well that should def. work. hm... i guess others could suggest something better

if you did not configure the firewall rulez from ip sec, do that and test it. than we might come closer.

oh shit, sorry! It was a failure of me!

wlan accesspoint is 172.16.10.15/24

Please find attached the IPsec rules.
I have no possibility to use this monowall with ssh!?
Yes you are right, if I ping from lan (192.168.10.3/24) to wlan ( 172.16.10.15/24) I get a bad response.

I could solved one problem by myself.

Now I can ping the WLAN Acces Point (172.16.10.15/24) from the monowall2 LAN.

But now I need also access from the monowall 1 LAN...

it would be nice to tell why it works the one connection now, in case someone is browsing for a similar problem.

when you trace from lan monowall 1, what do you get?

Yes, of course thats right! Sorry!
I added the screenshot but no text...
In my last screenshot there is a entry in the Captive portal!
I added the IP Address of the WLAN AccessPoint. After that I got a connection from the monowall 2 and the LAN (192.168.10.0/24) segment to this AccessPoint.

But now I think it is necessary to tell the monowall 1 that there is a segment (172.16.10.0/24) at the monowall 2? I tried to add a rule (the grey one), but is is not working.

ah yes of course. i think this addresses to problem: http://doc.m0n0.ch/handbook/faq-ipsec-multiple-subnets.html
-> in pfsense: system -> static routes

don't forget that in the basic setup, the privat addresses are in default conf blocked. so you need to allow rfc 1918.

i guess you are aware of the fact, that grey rulez are disabled (so you disabled it, because it did not help. right?)

good luck

Yes, you are right. I disabled the grey rule becuase it was not working.

I do not understand why I must allow rfc 1918? Because the other private addresses 192.168.10.0 to the monowall 2 are already working.

So I tried to add a static rule (see picture).  But without success.

to be honest, your pic is a bit unhelpfull here. you should write each ip on the side of the device it is. my "ascii pic" was a bit missleading i guess. sorry about that.

you need to put the other side 192.168.10.? ?? of the interface from monowall2 WAN as gateway. your router knows it's own interfaces. so when you wanna go to an other "unknown" network. you say on m0n01 send it to m0n02. the second m0n0wall knows then the other network an consequently where to send it.

or simpler: tell m0n01 to send it to monowall2 it knows what to do with it.

good luck with it.

Hello tuxfux,

at first: Thank you very much for yor help!!!

But I am still not able to say to "m0n0 1" that he should send all 172.16.10.0/24 requests to "m0n0 2".

Could it be that there is something wrong with the back route?
Hence I have modifyed my pic again with more information:

hey spinne,

well saidly i couldn't help you so far... i have to admint that i have never done something like that by myselfe.

first of all you need to reactivate the disabled firewall route for the ipsec network. test it then again. if it still does not work:
can you post the output of traceroute (where you made the ping but the other thing ). this might give a clue, the thing is i don't have any .

@others: any suggestions?

be aware of the fact, that i might not answer very fast in the next 2-3 days.

oh and one question. the green arrow from mono1 to mono2 is over ipsec. right?