Firewall/NAT

How is this accomplished? I know this is a HUGE Monowall issue and needs to be resolved asap....why does Ipsec VPN traffic not work when a client is behind the LAN firewall subnet?

Where is the Solution to this issue?

PLEASE HELP ASAP......

Thank you to All.....

You might want to read up on the following:

IPSec and NAT

NAT Traversal (NAT-T)

It would be easier if there is a feature or way to disable the firewall or deisable NAT feature inside monowall please....how can we perform this?  Thank you...

Also why can't it be a simple GUI interface option within Monowall my IPsec VPN clients connect from behind NAT?

It would be easier if there is a feature or way to disable the firewall or deisable NAT feature inside monowall please....how can we perform this?  Thank you...

If you are behind NAT you cannot disable NAT and still have an internet connection. The whole reason for NAT is to allow a single public IP address to be shared.

There are provisions in m0n0wall to provide for NAT traversal. Enabling this may help. Have you tried this?

Also, m0n0wall to m0n0wall IPSec with NATs is fully supported.

You haven't explained your setup, so what is it?

We have a /16 network on the LAN interface, we have opened up all the ports on the firewall rules for both WAN and LAN.....thats about it for setup....we do know the guests that try the VPN get connected outbound but no traffic inbound is seen connecting....

what are we setting up wrong?

thank you

Hard to say what's wrong without seeing the complete configuration.

Have you followed the instructions found in the m0n0wall handbook?

This could be a NAT limiting issue.  If you have several clients behind one IP address connecting to a VPN server, many of those VPN servers can get confused.  This is not a bug, it is a known limitation of the protocol.  It is why hotels will let you have a real IP address for an extra fee.  For your situation, you have a few options.  Try and design a better VPN network, (Not possible for hotels) or give guests with this problem static IPs internally with 1 to 1 NAT so they are on different IPs when they hit the company server.

Could you describe what the actual problem is?  What VPN, EXACTLY?  True IPsec, or that "mobile client" dial-up like VPN?  (Cisco takes some serious, and very unfriendly, liberties with the IPsec standard.  They had to add special assistance to the ASA firewalls just to support some older versions of there broken client.)

FYI:  Screaming that "This is a bug that needs to be fixed" is totally non-helpful.  It may actually cause some people to abstain from assisting you.

I agree, that saying a bug in the software it may not be and apologize.....I just know in our senario which is at Hotels and clients behind the LAN interface we get VPN complaints alot and other gateway solutions seem to have the VPN mastered and it works for their clients....I do know the older solution was to have a gateway router that asks a client upon login to the network if they request a VPN use and then they checked a box and the gateway at that point gave them a global IP assigned to them from the ISP direct on a bypass from the gateway. That works great....however Monowall does not do this or have this captive portal feature to ask a client if they want a bypass and a global static IP....

Maybe this final solution is to add a feature that inside aptive portal can give out a WAN IP Global static address in the pool of static IPs at a property to a VPN user thus bypassing the entire NAT LAN firewall issues???

What are the thoughts on adding that feature? Is that doable do you think?

Thanks again...

Also of note if anyone wants to see our config we have no issue allowing a peek at it via a remote session....we can provide the IP and login credentials if anyone wants on our beta test gateway....

I really do not miss installing Internet at hotels every day.

The fix is simple.  You need to give VPN users a 1 to 1 NAT manually.  Like this...

1) They call in with issue.
2) You ask them for their IP address, and when they are leaving.
3) You add that IP address to 1 to 1 NAT with an expiry date.
4) Ask them to try again and it works.
5) Clean up all the expired addresses no one else has cleaned up.

And yeah, this takes a boatload of staic IPs to do this, and all of them have to be in proxy arp.

And yes, this could be reasonably scripted from within CP and stuff, but it would not be trivial.

So if I understand correctly, NAT 1:1 you would use the same address for external and internal? using a /32 for a single address? and the address that you insert there is the users IP address from behind the LAN port and NAT? Correct?

So like a user has 172.20.1.200 so you would use this address in NAT 1:1 external and internal? then it auto adds to proxy arp I think....

Please let me know....thank you

also i forgto to ask...which interface do you apply the NAT 1:1 to?  The WAN or LAN?

thanks....


and yes I HATE Hotel IT work.....for this reason....monowall is a great router base software but it has a few items lacking that most the Hotel IT groups ask for now....like bandwidth utilization graphs...just an example....and this user interface VPN ease of use feature in CP

Lee, one more question...so if we take every dhcp ip address available and add into the NAT 1:1 feature then in essance we have no Nat going on anymore for any clients behind the LAN interface as they would all be on a 1:1 relationship to the outside world and anyones VPN connection would work at that point regardless of their IP they were assigned when they arrived at a property?

Is this correct?

Thank you.....

I think I misunderstood the NAT 1:1 feature...you cannot nat 1:1 from an internal address to an internal address....instead its intended for an external glabal IP address in your available pool from your ISP to an internal LAN ip address inside monowall NAT pool....

as an example:  outbound: 50.45.21.107 to Internal: 172.20.1.200

then the ProxyARP is auto generated and then the guest using the .200 address can now access his/her VPN work network as they are no longer behind a NAT network anymore but rather straight out to the world using the .107 ISP Global Static IP

is this correct?

So if correct then the allowed ISP Global static IP addresses to a property (lets say 20) would mean that I can only have 19 maximum VPN connections at that site as monowall WAN takes up one IP from the ISP...

Is this all correct???