I have a m0n0wall firewall between a static IP and LAN 192.168.0.0/24 which is our normal network feed and the gateway for our nework. On 192.168.200.2 I have our mail/web/squid proxy server. The server has two additional interfaces labelled as zones net and ctv which I use for routing the proxy web traffic and to serve a webcam, keeping traffic off the main feed. I presumed that traffic though the m0n0wall firewall forwarded to the server would have the source IP rewritten so that it would route back to the firewall and back to the source. However, incoming traffic routed to the server does not return that way, invalidating all of my design work and requiring I move the static feed to another interface on the server. As I have VPNs setup on the M0nowall vpn, I would rather not have to do this, it took me long enough to get them configured. Is there a solution? Chris -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
On Wednesday 15 February 2006 18:31, Chris Mason wrote:> Is there a solution?Chris -- I think you wanted to post this to the Monowall list, not the Shorewall list. If you really wanted to post to the Shorewall list, please use the word "Shorewall" at least once in your post so we know that you are actually conscious... -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Wednesday 15 February 2006 18:44, Tom Eastep wrote:> On Wednesday 15 February 2006 18:31, Chris Mason wrote: > > Is there a solution? > > Chris -- I think you wanted to post this to the Monowall list, not the > Shorewall list. If you really wanted to post to the Shorewall list, please > use the word "Shorewall" at least once in your post so we know that you are > actually conscious...My apologies, Chris -- that was rude. Good to hear from you again and I hope that Monowall is working well for you. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:>On Wednesday 15 February 2006 18:31, Chris Mason wrote: > > > >>Is there a solution? >> >> > >Chris -- I think you wanted to post this to the Monowall list, not the >Shorewall list. If you really wanted to post to the Shorewall list, please >use the word "Shorewall" at least once in your post so we know that you are >actually conscious... > >-Tom > >Oh, sorry Tom, but I didn''t see this as a m0n0wall issue per se, I just mentioned it for clarity. I am looking for something in Shorewall that would tell it to route those packets back to that gateway o any wisdom from the esteemed members of the list from whom I have had so much great advice. I''ll make sure to mention shorewall more though...it''s the most incredible software and I have been using it successfully for years. Chris -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
On Wednesday 15 February 2006 19:21, Chris Mason wrote:> > Oh, sorry Tom, but I didn''t see this as a m0n0wall issue per se, I just > mentioned it for clarity. > I am looking for something in Shorewall that would tell it to route > those packets back to that gateway o any wisdom from the esteemed > members of the list from whom I have had so much great advice. > I''ll make sure to mention shorewall more though...it''s the most > incredible software and I have been using it successfully for years. >Chris, I haven''t slept for two days. I am going to have to pass right now and I''ll re-read your post when I have more (some) energy. Hope you understand, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:>> >>I haven''t slept for two days. I am going to have to pass right now and I''ll >>re-read your post when I have more (some) energy. >> >>Hope you understand, >>-Tom >> >>I never thought you would wimp out like this, Tom. Why, back in my day, two days was only one day, and we were Lucky to sleep at all.... -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
On Wednesday 15 February 2006 19:39, Chris Mason wrote:> Tom Eastep wrote: > >>I haven''t slept for two days. I am going to have to pass right now and > >> I''ll re-read your post when I have more (some) energy. > >> > >>Hope you understand, > >>-Tom > > I never thought you would wimp out like this, Tom. Why, back in my day, > two days was only one day, and we were Lucky to sleep at all....I know, Chris -- I turned 60 and all of the wind went out of my sails. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Chris Mason wrote:> Tom Eastep wrote: > >> On Wednesday 15 February 2006 18:31, Chris Mason wrote: >> >> >> >>> Is there a solution?Maybe, but we need a bit more detail of the whole layout of your network. I don''t want to lead you the wrong way. <snip>> Oh, sorry Tom, but I didn''t see this as a m0n0wall issue per se, I just > mentioned it for clarity. > I am looking for something in Shorewall that would tell it to route > those packets back to that gateway o any wisdom from the esteemed > members of the list from whom I have had so much great advice. > I''ll make sure to mention shorewall more though...it''s the most > incredible software and I have been using it successfully for years.Just to see if I''m on the right track, the shorewall box is using the m0n0 box as the default gateway? Just need to clarify, you use "that gateway", not sure if there more than one gateway on your network. Your having issues with traffic to/from a remote lan that is reachable though a vpn on the m0n0 box? Or this it all traffic that arrives through the m0n0 box. Jerry ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
>Or this it all traffic that arrives through the >m0n0 box.make that: Or is it all traffic that arrives through the m0n0 box. Jerry ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
Chris Mason wrote:> Tom Eastep wrote: > >>> >>> I haven''t slept for two days. I am going to have to pass right now >>> and I''ll re-read your post when I have more (some) energy. >>> >>> Hope you understand, >>> -Tom >>> > I never thought you would wimp out like this, Tom. Why, back in my day, > two days was only one day, and we were Lucky to sleep at all....And you had to lick the floor clean with your tongue, right? ;-) Paul ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
> > Just to see if I''m on the right track, the shorewall box is using the > m0n0 box as the default gateway? Just need to clarify, you use "that > gateway", not sure if there more than one gateway on your network. > Your having issues with traffic to/from a remote lan that is reachable > though a vpn on the m0n0 box? Or this it all traffic that arrives > through the m0n0 box.Nothing to do with VPN, that''s the one thing that does work because traffic from vpn users appears to come from the M0n0 unit. The m0n0 box is 192.168.0.1 - default gateway and main internet feed - fixed guaranteed bandwidth, static IP leased line.(expensive). DHCP says router=192.168.0.1 Main server = 192.168.0.2 Main Server has three interface eth0=192.168.0.2 eth1=adsl via dhcp eth2=catv via dhcp GATEWAYDEV=eth1 so all traffic from main server reaches internet through eth1 Main Server runs squid proxy so all browsing traffic on LAN is directed to 192.168.0.2 and goes out eth1 to internet, keeping it off m0n0 box and main internet feed. The main problem I have is that traffic to m0n0 box such as SMTP is forwarded to main server, i.e. WAN:25 => 192.168.0.2:25 routes out eth1 and so doesn''t work. Is there any way to do this? If not, I will shut down the m0n0 box and move the main server to 192.168.0.1, add another NIC and handle the main feed on that machine. However, this means a lot of network changes. -- Chris Mason NetConcepts (264) 497-5670 Fax: (264) 497-8463 Int: (305) 704-7249 Fax: (815)301-9759 UK 44.207.183.0271 Cell: 264-235-5670 Yahoo IM: netconcepts_anguilla@yahoo.com -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
Chris Mason (Lists) wrote:> >> >> Just to see if I''m on the right track, the shorewall box is using the >> m0n0 box as the default gateway? Just need to clarify, you use "that >> gateway", not sure if there more than one gateway on your network. >> Your having issues with traffic to/from a remote lan that is reachable >> though a vpn on the m0n0 box? Or this it all traffic that arrives >> through the m0n0 box. > > Nothing to do with VPN, that''s the one thing that does work because > traffic from vpn users appears to come from the M0n0 unit. > > The m0n0 box is 192.168.0.1 - default gateway and main internet feed - > fixed guaranteed bandwidth, static IP leased line.(expensive). > DHCP says router=192.168.0.1 > > Main server = 192.168.0.2 > Main Server has three interface > eth0=192.168.0.2 > eth1=adsl via dhcp > eth2=catv via dhcp > GATEWAYDEV=eth1 so all traffic from main server reaches internet > through eth1 > > Main Server runs squid proxy so all browsing traffic on LAN is directed > to 192.168.0.2 and goes out eth1 to internet, keeping it off m0n0 box > and main internet feed. > > The main problem I have is that traffic to m0n0 box such as SMTP is > forwarded to main server, i.e. > WAN:25 => 192.168.0.2:25 > routes out eth1 and so doesn''t work. > Is there any way to do this? If not, I will shut down the m0n0 box and > move the main server to 192.168.0.1, add another NIC and handle the main > feed on that machine. However, this means a lot of network changes. > >You need to have the m0n0 box be like an ISP to the shorewall box, add a third entry to the providers file. Jerry>------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
> > You need to have the m0n0 box be like an ISP to the shorewall box, add > a third entry to the providers file.Excellent tip. I will read up on that approach. -- Chris Mason NetConcepts (264) 497-5670 Fax: (264) 497-8463 Int: (305) 704-7249 Fax: (815)301-9759 UK 44.207.183.0271 Cell: 264-235-5670 Yahoo IM: netconcepts_anguilla@yahoo.com -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642