General Questions

Hi,

As to keep things simple I am starting from scratch with the manner my question is posed.

Current Workings (all firewalls disabled!)

1/ All resources in current network have access to the Internet
2/ PC2 can access all resources
3/ PC1 can only access resource in the 192.168.1.0/24 Subnet

What I want to achieve

1/ PC1 to have access to resources in both 192.168.1.0/24 and 192.168.0.0/24 Subnet

Current Topology and Settings

View Diagrams Below

AND

In advanced settings

Disable Spoof Checking on bridge - Checked
Bypass firewall rules for traffic on the same interface - Checked

Comments

1/ Please, I do understand that the network setup is not optimal.
2/ I simply would like to know, the manner in which the network is configured, should PC1 have access to resources on the 192.168.0.0/24 Subnet ?
3/ If the answer is 'YES', what may be the reason this config is not working?
4/ If the answer is 'NO', what must I change ?

I really hope that my network topology and config is clear.

Really hope that someone can point me in the right direction.

 

Wow...  This is very complex, and I am not sure why.  Lets start...

Router at 192.168.1.253...  Why is it here?  Why does it have only one interface?

You have routes for 192.268.20.x and there is no 192.168.20.x in your diagram.  Where is it?  What is it?

Where is your static route for the 192.168.0.0/24 network pointing to 192.168.1.254?

Hi Lee!

Re complexity, yup we are in agreement, please bare with me.

You come across as a person who likes a challenge.



To answer your questions

1/ Router at 192.168.1.253 exists simply because I dont have a managed switch. Initially I had an unmanaged switch where the 192.168.1.253 exists and removed it as I thought this may the reason my config was not working. If it helps I can remove the router and add the switch in its place.

2/ To test that my understanding of static routes is correct I tried the following scenario. Two Thomson 585v7 modem/routers (192.168.0.1 and 192.168.1.1), Two PC's, one connected to 192.168.0.1 and one to 192.168.1.1. In both Thomsons I setup IP's in the 192.168.20.0 subnet to use for routing purpose.

i.e.

192.168.1.1 has: Additional IP address of 192.168.20.1 with static route Dest:192.168.0.0 | Gateway 192.168.20.2 (refer to the telnet img as reference to CLI interface)
192.168.0.1 has: Additional IP address of 192.168.20.2 with static route Dest:192.168.1.0 | Gateway 192.168.20.1 (refer to the telnet img as reference to CLI interface)

With this config, both PC's were able to access shared resources across the different subnets.

So...... as this scenario worked and to answer your question

The 192.168.20.x is setup in 'ISP Modem/Router' --> LAN Address (Secondary): 192.168.20.1

and

The 192.168.20.x is setup in 'm0n0wall' --> LAN Address (Secondary): 192.168.20.2

I am simply trying to mimick the test scenario described above (The two Thomson 585v7 config).

3/ I dont have a static route for 192.168.0.0/24 to 192.168.1.254, I will set this up in the m0n0wall 'Static routes' section and post back.

I really do appreciate your assistance, just need someone with more knowledge than me to point out where I am going wrong while as I learn.

Thanks!

Hi!

I added the static route.

No change....

The problem is, with all the complexity, it is hard to wrap my head around what you have.  So if you can narrow it down to two routers, and two computers, that makes things easier.  Also, put in a tag for that 192.168.20.x network.

Also, this is a shot in the dark, but under Interfaces -> WAN did you uncheck "Block Private Networks?"  And from the primary router, can you ping both interfaces of the secondary router?

Hi Lee!

OK narrowed it down to bare bones, see new diagram.

What do I need to configure so that PC1 can access the m0n0wall GUI at 192.168.0.1 ?

Thanks

Hi Lee!

OK narrowed it down to bare bones, see new diagram.

What do I need to configure so that PC1 can access the m0n0wall GUI at 192.168.0.1 ?

Thanks

I previously suggested this to you, and the recommendation still stands:

http://doc.m0n0.ch/handbook/faq-webGUI-from-WAN.html

Hi Lee!

OK narrowed it down to bare bones, see new diagram.

What do I need to configure so that PC1 can access the m0n0wall GUI at 192.168.0.1 ?

Thanks

I previously suggested this to you, and the recommendation still stands:

http://doc.m0n0.ch/handbook/faq-webGUI-from-WAN.html

Hi Fred,

Sorry, yes you did mention this before and my apologies for not answering you directly.

Although this may work, I should have been more specific.

Although I wish PC1 to have access to the GUI I also wish PC1 to be able to access resources on 192.168.0.0.

At this present time (and since I started) PC1 is not able to PING anything connected to the 192.168.0.0 network.

Obviously I am missing something here hence the reason for this prolonged post !

Thanks

 

In order to cross a m0n0wall from WAN to LAN you need Firewall Rules on the WAN interface that allow that traffic in.

1) Turn off NAT on "m0n0wall" router.

2) Copy default rule from LAN and apply it to the WAN. (Open all ports)

3) Add a static route to ISP modem router for 192.168.0.0/24 with a next hop of 192.168.1.254


Now once you have this setup, if it fails we can test several things using ping and traceroute to find the broken part.  (NOTE: Traceroute is tracert on Windows...

To start troubleshooting, from PC1

ping 192.168.1.254
ping 192.168.0.1

traceroute 192.168.1.254
traceroute 192.168.0.1

From the ISP router, do the same...

In order to cross a m0n0wall from WAN to LAN you need Firewall Rules on the WAN interface that allow that traffic in.

Please, what you are asking, have I not already shown that this part has been done ??

The image - firewall-rules---LAN-WAN-NAT_Outbound.gif does this not show what you have stated ??

I.e. is the WAN interface firewall rule incorrect ??

Really, please, can you answer this with either a YES or NO answer, just so you and I are not repeating ourselves.

Thanks

 

1) Turn off NAT on "m0n0wall" router.

2) Copy default rule from LAN and apply it to the WAN. (Open all ports)

3) Add a static route to ISP modem router for 192.168.0.0/24 with a next hop of 192.168.1.254


Now once you have this setup, if it fails we can test several things using ping and traceroute to find the broken part.  (NOTE: Traceroute is tracert on Windows...

To start troubleshooting, from PC1

ping 192.168.1.254
ping 192.168.0.1

traceroute 192.168.1.254
traceroute 192.168.0.1

From the ISP router, do the same...

Hi Lee,

Again I find that the same things are being repeated, so ......

1/ Turn off NAT on "m0n0wall" router - Have I not shown that this has been done (firewall-rules---LAN-WAN-NAT_Outbound.gif bottom of image) ?? Please answer this !

2/ Copy default rule from LAN and apply it to the WAN. (Open all ports) - Again the same, its in the same image (firewall-rules---LAN-WAN-NAT_Outbound.gif bottom of image). Please answer if this is correct !

3/ Add a static route to ISP modem router for 192.168.0.0/24 with a next hop of 192.168.1.254, again, is this not shown in image that shows static routes ??

Both Fred and yourself, I really do appreciate the time you guys are taking to assist me.

But we seem to be going round in circles, as what you are telling me to do, I am doing and then you are repeating the same things again.

Ive not yet heard from either of yourselves to tell me that I have set things up correctly or incorrectly !

That would be a good start, from my understanding it seems I am doing what is asked of me, but if one of you does not TELL ME, how am i to know ??

 

So if we go on the assumption that I have correctly put all things that are required in place, it is not working.

If I try to ping either 192.168.0.1 or 192.168.1.254 from PC1 simply get a time out

If I try to tracert from PC1 to 192.168.1.254 it just time out all 32 hops.

If I try to tracert from PC1 to 192.168.0.1 I got one response from the first hop at 192.168.1.1 then the other hops time out.

This is driving me nuts ...........

-- EDIT --

Sorry forgot to say, the modem router does not have a GUI interface that has a tracert feature so I dont know how I can do what you requested.

Your rules look OK.

The firewall rules are fine.

The NAT is off.  Kill the rule you created, and leave Advanced Outbound NAT enabled.  Details here.
http://doc.m0n0.ch/handbook-single/#id11630453

Kill all the static routes.  m0n0wall does not need them.  It knows both 192.168.x.x networks, and has a default gateway.  It is the ISP router that needs the static routes.  As a test, you can set the default route of PC1 to the m0n0wall router, but nothing else will find it...

Your rules look OK.

Thanks!