What you are trying to do should be simple. You do not need to touch NAT. It is all done in the rules.
At first glance the rules can seem slightly confusing, but it all makes sense when you get to grips with it. The main thing to remember about the rules is that they are applied in order, the router looks at them in turn and if the packet matches a rule it will follow it. I.e. if you have a block all rule at the top and a pass http below it, the http will not get passed as it will already have been blocked by the previous rule. This is what is called "Statefull Packet Inspection" That you see on the box of some purchased firewalls. It simply means it looks at all traffic on all interfaces and compares it to the list of rules.
Lets have a look at how we set up a rule. When we go to the rules page, you will see tabs for each interface and you can see what rules are already in place. When we add a rule we have a list of choices. Action: Choose if the rule will block traffic or pass traffic. Disabled: You can choose to disable the rule without removing it. Useful when diagnosing problems Interface: Here you need to choose which interface the rule will be on. If you are routing traffic from the LAN interface select that, if from the opt1 interface select this. Remember it is the interface that the packet comes in on, not where it is going. Protocol: Choose your protocol. This enables fine control for different types of traffic e.g. http is TCP port 80, dns is UDP port 123 Source: Here you select where the packet originates from. Source Port Range: Just what is says. In most cases you can leave this to any, as we are mostly interested in the destination. Destination: Where is the packet going. Destination port Range: E.g port 80 for http, 23 for ftp etc etc Fragments: never had to turn it on. Log: Most useful if using a syslog server, or for diagnostics.
Right, now for the application. In your scenario, your LAN has a ip range of 10.1.1.x net mask 255.255.255.0 also written as 10.1.1.0/24 Your second LAN has a ip range of 192.168.1.x netmask 255.255.255.0 also written as 192.168.1.0/24 By default your LAN will only have one rule. Action: Pass Interface: LAN Protocol: Any Source: LAN Subnet Source Port Range: Any Destination: Any Destination Port Range: Any
When you add the opt 1 interface it will not have any rules. Assuming that your DHCP is giving the opt1 interface ip address as the default gateway, start by adding the following rule to the opt1 interface Action: Pass Interface: Opt1 Protocol: Any Source: opt1 Subnet Source Port Range: Any Destination: Any Destination Port Range: Any
Test this now. it will allow all traffic out of the opt1 subnet. if it doesn't you have not set something else up correctly or you have changed other settings in the monowall.
As you do not want the subnets to talk to each other, you will have to add the following rules. Action: Block Interface: LAN Protocol: Any Source: LAN Subnet Source Port Range: Any Destination: Opt1 Subnet Destination Port Range: Any
Action: Block Interface: Opt1 Protocol: Any Source: Opt1 Subnet Source Port Range: Any Destination: LAN Subnet Destination Port Range: Any
These rules need to be above the pass all traffic rules otherwise packets will hit the pass all and never get to the block rule.
Hope this helps.
Mark.
|