News: This forum is now permanently frozen.
linktree m0n0wall Forum  >  m0n0wall Support (English)  >  Firewall/NAT
linktree Topic: pings not working from MPLS connection
Pages: [1]
Topic: pings not working from MPLS connection  (Read 2715 times)
« on: November 19, 2013, 23:36:30 »
arell12 *
Posts: 11
Hello, we have a M0n0wall firewall that is using it 3 interfaces.
sis0 - LAN - 172.16.88.22 / 22
sis1 - WAN - Public IP address
sis2 - WiFi Network - 10.60.2.254 / 24

Now from the LAN I can ping a host inside the WiFi net 10.60.2.1 which is good.

We also have a cisco Router at the site who has the following IP addresses
LAN - 172.16.88.21 .22
MPLS - 172.17.1.90 / 30

I cannot ping from the MPLS interface to the WiFi network and I do have a static route on the router 10.60.2.0 255.255.255.0 172.16.88.22. Also I can ping a host on the WiFi from the router using interface 172.16.88.21.

When I look at the last 50 filter log entries I see that the ICMP traffic is being blocked from 172.17.1.90 by rule @0:12. Looking at ipfstat -nio for hte rules I am not sure exactly which rule this is but I have 2 @12 rules:
@12 pass out quick on sis2 proto ah from 10.60.2.254/32 to any - Its probably not this rules that it blocking
@12 block in log quick on sis0 from any to any - I think that it is this rule that is blocking.
I have a LAN rule allowing any ptocol from network 172.0.0.0 / 8 any port to WiFi net any port which is lower in the list of ipfstat -nio.

So the question is how do I go about allowing traffic from another network to the WiFi network? Ultimately I want to allow traffic from 172.16.4.0 / 22 to the WiFi network to collect SNMP and access hosts using SSH.
« Reply #1 on: November 20, 2013, 05:23:59 »
Lee Sharp *****
Posts: 517
Please post some traceroutes to show where things are hanging.  And make sure you are not blocking private IP addresses.

And you will need static routes in both routers. The WiFi net in the MPLS router, and the MPLS network in m0n0wall.
« Reply #2 on: November 20, 2013, 06:04:06 »
arell12 *
Posts: 11
Where do I unblock Private IP addresses? I only see that option on the WAN interface of the m0n0wall firewall.

Here are some snipets from the router in that office

cisco#show ip int br
Interface                      IP-Address      OK? Method Status                Protocol
FastEthernet0/0            172.16.88.21    YES NVRAM  up                    up
FastEthernet0/1            unassigned      YES NVRAM  administratively down down
Serial0/3/0                   172.17.1.90     YES NVRAM  up                    up

cisco#ping 10.60.2.1 source fa0/0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.60.2.1, timeout is 2 seconds:
Packet sent with a source address of 172.16.88.21
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

cisco#traceroute 10.60.2.1 source fa0/0

Type escape sequence to abort.
Tracing the route to 10.60.2.1

  1 172.16.88.22 4 msec 0 msec 0 msec
  2 10.60.2.1 4 msec *  0 msec

cisco#ping 10.60.2.1 source s0/3/0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.60.2.1, timeout is 2 seconds:
Packet sent with a source address of 172.17.1.90
....
Success rate is 0 percent (0/4)

cisco#traceroute 10.60.2.1 source s0/3/0

Type escape sequence to abort.
Tracing the route to 10.60.2.1

  1  *  *  *
  2  *  *  *
  3  *  *

And here is the logs from the firewall

failedping attempts:
  21:54:21.998475 LAN 172.17.1.90 10.60.2.1, type echo/0 ICMP
failed traceroute i assume:
 21:55:09.889070 LAN 172.17.1.90, port 49233 10.60.2.1, port 33434 UDP

I have added a static route to the Wifi interface to route 172.16.4.0 /22 through 172.16.88.21 ( Cisco Router) and this still doesnt work. I know that I am not pinging from that network in the above failed attempts but I left for simplicity and I get the same failed results from the 172.16.4.0 network. The traffic is definately getting blocked on the Firewall.
« Reply #3 on: November 20, 2013, 15:51:34 »
Lee Sharp *****
Posts: 517
Did you add a static route to m0n0wall telling it how to get to the 172.17.1.x network?  Since it works on the fe0 link, the cisco has the route, but it looks like m0n0wall can not find the way back.
« Reply #4 on: November 20, 2013, 17:45:56 »
arell12 *
Posts: 11
I have added that static route to the WAN interfaceon the firewall and I am still unable to ping through. I do not think that this is having a problem getting back, I dont think that its getting there because its being blocked by the firewall for some reason.

Here are the firewall logs:

  Time                      If      Source            Destination                    Proto
  09:37:01.508195 | LAN | 172.17.1.90 | 10.60.2.1, type echo/0  | ICMP

Its not getting through the firewall. I have a LAN firewall rule:
Pass | ANy Protocol | Source 172.0.0.0/8 | Port Any | Dest 10.60.2.0/24 | Port Any

This should be allowing the traffic through from anything starting wiht 172. but it doesnt seem to be working.
« Reply #5 on: November 22, 2013, 17:17:20 »
Lee Sharp *****
Posts: 517
For testing go with wide open any to any firewall rules.  You can lock it down later.

As for the rest, can you install wireshark on a desktop in each network?  I am now wanting to see where exactly the packets are breaking down...
 
Pages: [1]
 
 
Powered by SMF 1.1.20 | SMF © 2013, Simple Machines