Firewall/NAT

I currently have a T1 line connected to my WAN port and my internal network connected to my LAN port.  The LAN has DHCP enabled which is using the  using IP address range of 10.1.1.x serving about 100 clients.  With that setup everything is working just fine.  I would like to add a second LAN into this scenerio.  The second LAN consists of a Windows 2003 server running it's own DHCP using the IP address range of 192.168.1.x with 10 clients.  I do not want the 2 LAN's to see each other but want them both to have access to the T1 through the WAN.  I played around with the setup with no success thus far.  Can anyone help me with this setup or point me in the right direction?  Thanks.

This should be no problem for the monowall.  The first thing that you would need to do is to add a third NIC to the monowall box, which you then assign as opt1 in the assign interfaces page.  This will then need to have an IP address in your second LAN range.  On your DHCP server Win2003 box add the opt1 interface ip address as a default gateway address.  If you are running DNS forwarder on the Monowall which is enabled by default, you also have the option to point your DNS at the monowall.  if your W2K3 is running a local DNS server you can point this to the monowall box as a forwarder.

moving on to the rules on the monowall.
The default rule on the LAn is to pass all traffic to everywhere.  To exclude the opt1 subnet, simply change the destination to Not opt1 subnet.

Hopefully this will get you going.

mark

Thank you for the reply.  I do have an OPT1 & OPT2 port on my Monowall and have configured the OPT1 port with an IP address in the second LAN's range, but after that is where the confusion started for me.  I did play around with some of the NAT and firewall rules on the Monowall the other day with no luck.  So it looks like I was half way there but I didn't know which rules I needed to apply in order to get it working.  If possible, can you elaborate a little more on the exact rules I need to apply?  Thank you.

I am also trying to achieve the same thing and would also like for someone to elaborate.... Here is (in text) what I am trying to achieve........


----------
| modem |
----------          ------------------ This is DMZ access that is firewalled
      |            /                          at both the firewall and server.
 -----------       ---------               Only the ports necessary are open.
| Firewall |---| Server |
 ----------        ---------
      |         /      ------------------This is Local network access only
 ---------- /
| Switch  |
 ----------

OK, I have managed to get DHCP to work and the DNS and gateway addresses are being pulled but I'm not having any luck with internet access. I confirmed this by plugging in a machine that is fully capable of pulling addresses and connecting to the internet (I'm currently using it to type this post) but can not access the internet on my opt NIC.

So I believe I'm missing a rule some where....

Basically here is what i did......

You need to enable your optional adapter and change NAT from automatic to manual. After changing to manual you need to create a new NAT rule for your opt adapter.

In this NAT rule it needs to be as such (though this could be some what wrong as I don't have internet access from this NIC yet)

Interface: WAN

Source: network; address is your network address for that NIC

Destination: any


Now save.

this is as far as I have gotten, which is some progress but as I said, I still have no internet access.

I did also knowtice that my BCast address is on 10.255.255.255... Will this work? I've personally never had any luck going that far out of the normal range, I'd expect 10.10.10.255 for my address is 10.10.10.1 for my gateway.

I think you are right because I am still in the same situation, I have no Internet access from the OPT1 port and I believe it is just a rule somewhere that I am missing.  And I would think that the 10.255.255.255 may be coming from whatever subnet you have setup.  If you have 255.255.255.0 setup then this address should not be possible, but if you have 255.0.0.0 for your subnet then this address would be in the range.

Yea, I don't know how it did it, but I had the 10.255.255.255 subnet while serving 10.10.10.0 addresses. I think it was a automatic rule that was created in the DHCP table because later I tried to ajust the DHCP table and it would let me, saying, "This IP scheme is out of range".

It did how ever tell me that I could use anything between 255.255.255.0 and 255.255.255.255 but when I tried to use any 192.x.x.x addresses it wouldn't accept it, there by breaking my DHCP server on that NIC.

So, mean while I have deleted the NAT rule and disabled the NIC as a attempt to start over but still no luck!. Can't even get DHCP to work at this point.

So now I am going to play with it some more but I'm also going to refer a linux friend over to this post and ask for assistance and get in some IRC rooms and see what I can come up with.

I'll continue to post my findings and hopefully we'll get this solved and have this post avaliable for other newbs like us (LOL).

[Action:]

What you are trying to do should be simple.  You do not need to touch NAT. It is all done in the rules.

At first glance the rules can seem slightly confusing, but it all makes sense when you get to grips with it.  The main thing to remember about the rules is that they are applied in order, the router looks at them in turn and if the packet matches a rule it will follow it.  I.e. if you have a block all rule at the top and a pass http below it, the http will not get passed as it will already have been blocked by the previous rule.  This is what is called "Statefull Packet Inspection" That you see on the box of some purchased firewalls.  It simply means it looks at all traffic on all interfaces and compares it to the list of rules.

Lets have a look at how we set up a rule.  When we go to the rules page, you will see tabs for each interface and you can see what rules are already in place.
When we add a rule we have a list of choices.
Action: Choose if the rule will block traffic or pass traffic.
Disabled: You can choose to disable the rule without removing it. Useful when diagnosing problems
Interface: Here you need to choose which interface the rule will be on.  If you are routing traffic from the LAN interface select that, if from the opt1 interface select this.  Remember it is the interface that the packet comes in on, not where it is going.
Protocol: Choose your protocol. This enables fine control for different types of traffic e.g. http is TCP port 80, dns is UDP port 123
Source: Here you select where the packet originates from.
Source Port Range: Just what is says. In most cases you can leave this to any, as we are mostly interested in the destination.
Destination: Where is the packet going.
Destination port Range: E.g port 80 for http, 23 for ftp etc etc
Fragments: never had to turn it on.
Log: Most useful if using a syslog server, or for diagnostics.

Right, now for the application.
In your scenario, your LAN has a ip range of 10.1.1.x net mask 255.255.255.0 also written as 10.1.1.0/24
Your second LAN has a ip range of 192.168.1.x netmask 255.255.255.0 also written as 192.168.1.0/24
By default your LAN will only have one rule.
Action: Pass
Interface: LAN
Protocol: Any
Source: LAN Subnet
Source Port Range: Any
Destination: Any
Destination Port Range: Any

When you add the opt 1 interface it will not have any rules.
Assuming that your DHCP is giving the opt1 interface ip address as the default gateway, start by adding the following rule to the opt1 interface
Action: Pass
Interface: Opt1
Protocol: Any
Source: opt1 Subnet
Source Port Range: Any
Destination: Any
Destination Port Range: Any

Test this now.  it will allow all traffic out of the opt1 subnet.  if it doesn't you have not set something else up correctly or you have changed other settings in the monowall.

As you do not want the subnets to talk to each other, you will have to add the following rules.
Action: Block
Interface: LAN
Protocol: Any
Source: LAN Subnet
Source Port Range: Any
Destination: Opt1 Subnet
Destination Port Range: Any

Action: Block
Interface: Opt1
Protocol: Any
Source: Opt1 Subnet
Source Port Range: Any
Destination: LAN Subnet
Destination Port Range: Any

These rules need to be above the pass all traffic rules otherwise packets will hit the pass all and never get to the block rule.

Hope this helps.

Mark.

Thank you very much, that helps a lot.  I was definitely making it a lot harder than it had to be.  Thanks again for your help.

Ahh yes, I agree, thank you very much. I guess that I ass-um-e-d that because of a post that was made on how to enable load balancing that I needed to use NAT to get the device to communicate with the rest of the world.

Anyhow, I made the appropriate adjustments but have not yet tested them, but will test them in a couple hours. So thank you for the reply and help.