maerliprinz
Goto Top

M0n0wall bockiert WAN zu LAN Traffic

Hello Community

My Setup: m0n0wall on x86 with 4 NIC's

fxp0 - OPT1 / OFF
fxp1 - WAN / 192.168.0.xxx/24 (DHCP from ISP, ISP = Fortigate FW)
fxp2 - OPT2 / OFF
fxp3 - LAN / 10.1.1.1/24

WAN Config:
IP: 192.168.0.25
GW: 192.168.0.1
DNS: 192.168.0.10 (DNS Server)

Client Config:
IP:10.1.1.101
GW, DHCP, DNS: 10.1.1.1

What I can from the Client:
Ping: 10.1.1.1, 192.168.0.1, 192.168.0.10, 208.67.222.222, google.com (is resolved to 173.194.35.9)
Windows 7 shows Client - Network - Internet Connection as good and working.

What I can't:
Open any Internet Site, resolve any public DNS Name in Browsers (IE, Firefox)

What I did:
Created Rule to Open any incomming traffic form WAN Interface ( Protocol: *, Source: WAN Adress, Port: *, Destination: *, Port: *)
Left the defaul Rule LAN to any actice
Removed the "Block private Networks" Rule

What I know:
In the Firewall Log it reports that Traffic from WAN like 173.194.35.31:80 to 10.1.1.101:54486 is blocked
The Log fills up 20 -30 Entrys per Minute if i try to connect to google.
The Browser can connect and get stucked while waiting for data from the Internetsite

What do I do wrong? Where is the mistake?

I already rebooted, resetted, reinstalled the m0nowall without any success Sad


Acording to my understanding it should work but the WAN to LAN Traffic is somehow blocked

Content-Key: 190614

Url: https://administrator.de/contentid/190614

Ausgedruckt am: 29.03.2024 um 15:03 Uhr

Mitglied: aqui
aqui 03.09.2012 aktualisiert um 13:31:11 Uhr
Goto Top
Hi Maerliprinz
According to your IP addressing you use a customized IP adressing scheme and not the default. So we assume here you have a router in between the WAN port and the internat and use 192.168.0.0 /24 as a transfer network. Is that the case here ?
This is an RFC 1918 private IP address and if you do not have modified the default FW rule on the WAN Port Setting (bottom) these RFC 1918 networks get blocked by default and would block any Internet traffic back to the local LAN port.
In case you need private IP networks on the WAN port make shur e you uncheck the "Block private IP addresses" checkbox in the default setup on the WAN port. This is mandatory in case of RFC 1918 adresses on the WAN port !
See here a screenshot how this is setup in the pfSense firewall which is fully identical to Monowall (pfSense is a sister of Monowall and actual i have no Mono screenshots at hand)

74b9195384745394760dc1697bd642f8

Another important thing is the question if you use static IP adressing on the WAN Port or dynamic.
In case its static you did not get a DNS server entry automatically and have to do this manually in the setup otherwise there is no DNS resolution as you can see with your client.
Here is another snapshot from the pfSense setup (Monowall ist identical) under System -> General setup

91ce38329266181ef1a92c0488f8ea17

So in a first step you have to take care of these settings to give basic Internet access to your clients ! Most likely you forgot to set the DNS server like described cause pinging all the other addresses in the WAN network just work as you described.
Maybe you should reset the firewall to factory defaults, make these two settings (private network rule and DNS) as described and set the default Gateway on the WAN port to .0.1 as well and start from scratch. That should give you instant access from the client site to the internet.

Getting access from the WAN Port site to your client site is either a static NAT entry issue or a port forwarding one cause you have to override the build in NAT firewall.
Depends a bit what you like to achieve with it ?! Maybe you should throw a bit more light onto this...
Before we dig deeper into this NAT setup please tell us if the source address from stations trying to access clients in the 10.1.1.x network is from the 192.168.0.x network or outside the WAN port network (Internet) ?
If the last is true you need to customize firewall roules on the WAN Port as well.
Maybe these 2 whitepapers and followup threads give some further help (unfortunately in German):
Preiswerte, VPN fähige Firewall im Eigenbau oder als Fertiggerät
WLAN oder LAN Gastnetz einrichten mit einem Captive Portal (Hotspot Funktion)