gmane.comp.security.firewalls.m0n0wall

NATing to an external IP address

Adam Stasiak — 2012-05-26T01:03:30

Is it possible to use NAT (or some combination of NAT and other trickery)
to redirect an address on your WAN interface to another external IP address
(not on the WAN interface, but at some other site).

e.g. Site A has Public IP address 1.0.0.1
Site B has Public IP 1.0.0.2

I would like to redirect any requests that come in to 1.0.0.1 on port 80 to
go to 1.0.0.2 (also on port 80).

The goal is to be able to redirect HTTPS requests to a block of IP
addresses to a single IP address (but on different ports) to avoid needing
a different public IP address for each SSL encrypted site.
I already know about wildcard certs and certs with multiple host names on
them and also SNI, all of these are problematic for one reason or another.
If there were someway to redirect requests as mentioned above, I could
colocate a monowall box somewhere where I can get the IPs I need and
redirect them to the primary webserver, which unfortunately has a pretty
limited number IPs available.

M0n0Pluguin

sergi — 2012-05-16T10:07:07

 Hello everybody!

I'm really interested in develop a pluguin that can menage the vouchers,
the first and the main objective is to
know the actual voucher state, for example is if active or not, when it
expires, etc...

Does anybody worked in this before?? Could you give me some advise on how
to start developing?

I took a look at the development section of your web-page. It seems that
the first thing I must do is to
install the FreeBSD OS and then the m0n0 image for his OS. I'm wondering
if I can do all of this in a VMWare Workstation... My doubt is if I'm in
the right path, sorry I've never developed for this kind of sytems. So any
infomration will be really helpful.

Thanks in advance!!!

WRAP/ALIX platform running 1.33 - seeing limited download bandwidth

David Cramblett — 2012-05-04T18:37:49

I recently changed my internet connection from Qwest/Century Link 20M/896K
DSL to a Comcast Business Cable which is netting about 55M/45M.  However,
when I run a speed test through a LAN based computer connected to my WRAP
based m0n0wall system, I was seeing only 16M down/35M up.

I checked my interfaces to make sure they were configured at 100Mb-Full
Duplex, and everything looked good.  It seemed really odd that I was still
seeing 35M up, but only seeing 16M Down.  I reset the Comcast SMC modem, my
"dirty" WAN side switch and my m0n0wall WRAP router - just to make sure
everything was cleaned up but still saw the same results.

Despite the 35M upload I was seeing, I decided my old WRAP platform must be
"dated" and ordered a new 500MHz ALIX board.  It arrived yesterday and I
replaced the router and now I am seeing about 10M down/35M Up.

I re-checked the interfaces, still showing 100M-Full Duplex. Whenever I
plug my workstation into the dirty WAN switch (bypassing m0n0wall) I
immediately get the 55M/45M speed

Performance issues on WRAP

Stefan Ott — 2012-04-22T03:08:27

Hey

I recently noticed a strange behaviour with m0n0wall 1.33 running on a
PC Engines WRAP. It seems that whenever the network throughput (tried
with http and ftp) gets close to my connection's maximum (which is
around 25 Mbps) the system becomes extremely unresponsive and won't do
anything else anymore - DNS lookups fail and even wifi connections get
terminated. A quick look at the CPU load graph shows that it's very
close to 100%.

Now, I realize that maxing out my connection will have some negative
impact on additional data traffic, but using my whole CPU for a little
bit of packet forwarding seems slightly excessive. Thus I was
wondering whether anyone might have an idea about what I can do to
figure out what exactly generates all that CPU load and how to fix it.

Any advice would be highly appreciated.

cheers

PPTP - multiple NICs & Subnets

Shreve, Josh — 2012-04-13T14:21:50

Hello, I apologize for my ignorance but I have a small question.

I am considering using m0n0wall as a virtual appliance in a VMware host.
Ideally I would like for the appliance to have 3 NICs:



*NIC1 = WAN (public IP)
*NIC2 = LAN1 (192.168.100.0/24)
*NIC3 = LAN2 (192.168.200.0/24)


Would it be possible to configure a PPTP VPN that I can connect to that
would allow me to access both the 192.168.100.x and 192.168.200.x
networks, and if so how?  I'd rather use PPTP vs. IPSec due to its
support by most OS's out-of-the-box, but if I absolutely have to use
IPSec I suppose I could.

I haven't found a definite answer, and it is the last piece of my
virtual network puzzle.  Thanks in advance!

Implementing Thermal Printer TM-T20

Sergio Vemic — 2012-04-12T11:51:07

Hi,

has someone tryed or maybe implemented interface for Epson TM-T20
Thermal Printer?

It would nice if there was a possibility to use the feed button to
generate single voucher...

Regards,
Sergio

Captive Portal: WLAN Authentification without entering Voucher ID or user name / password pair

Ralf Petry — 2012-04-02T21:27:56

Hy,
I'm running m0n0wall in its latest stable version and I experience, that users sometimes can use the captive portal without having to enter either a voucher id or a user / password pair. I've built a web page, that would allow for both: either entering user name and password or voucher id. Leaving the fields blank and clicking on "continue" gives users access to the internet... what more information would you need to help me?
also there are two linux based internet terminals, which provide the same strange and not-wanted behaviour...
thanks in advance.

Ralf Petry, von irgend so einem mobilen Endgerät gesendet...

Firewall not filtering?

Matthew Ford — 2012-04-02T13:08:39

Hi,

I must be doing something wrong.

v1.33 on a soekris net4801

All 'pass' rules on my firewall WAN i/f are disabled, and yet I am happily sending and receiving traffic, including this email. What am I missing??

Mat

Less Than 24 Subnet Mask Causes iPhone, iPad, etc No Web Browsing

Dave — 2012-03-29T19:27:12

Hi all
I'm having a problem with my m0n0wall at home, If I connected client i.e. iPad, iPhone, android, etc client is connected to a network with a subnet mask of less than 24, causes the devices not to be able to browse the Internet, this is not true to windows machines connected, which does not suffer from such problems. The affected networks are additional to the default LAN and via VLAN tagging to a managed switch. Has anybody experienced any problems or possible solutions?

M0n0wall version - 1.33

EG - 192.168.11.1/26 which should give 62 available addresses.....

Kind Regards
Dave

Sent from my iPad

State Table Optimization - m0n0 vs pfSense...

Lee Sharp — 2012-03-26T21:20:07

In pfSense, there is a drop down to select how the state table is 
optimized.  You can choose "normal" "high latency" "aggressive" or 
"conservative."  Is there any way to do this in m0n0wall with shell 
commands?  It seems to help some VoIP services a lot...

Lee

how to use dyndns behind a router

2012-03-22T14:40:53

Hi

I use the m0n0wall behind a dsl router. PPPoE is not supported anymore so I need to forward all external initiated traffic to the m0n0wall with a private ip on the wan interface.

My problem:

DynDns doesn't work anymore because the public ip is bound on dsl router. Is there a way to configure dyndns for such scenario?

thx bb

m0n0wall in VM?

2012-02-16T14:23:55

I've seen things relating to this come up on the list. It tickles my
curiosity. What is a typical use case for m0n0wall in a VM?

Michael Graves
mgraves  mstvp.com
o(713) 861-4005
c(713) 201-1262
sip:mjgraves< at >mstvp.onsip.com
skype mjgraves

I have some spare WinTerm based m0n0walls...

Lee Sharp — 2012-02-15T22:15:15

I built several Wyse WinTerm based m0n0wall firewalls for an expansion 
project that never got funded.  They are all silent systems, with 3 
network ports, and decent ram.  They were built to support LAN, WAN and 
DMZ, and to do light VPN.  They have 1.33 installed and configured.  The 
Dual port LAN card is an Intel card and chipset. (fxp)  They also run 
off of 1 amp wall wart power supplies!  I am keeping one for at home, as 
it is better than my old system.  Looking for $150, shipping from Texas. 
  Just trying to get back what I got in them.

Please respond off list, as I do not want to spam everyone with this. 
This is bad enough, but since I have sold m0n0walls twice in ten years, 
I don't think I am too spammy. :)

Lee

Static route required when using domain overrides in DNS forwarder over IPsec VPN

mtnbkr — 2012-02-15T16:33:31

Hi Manuel, not sure if this is a bug report, or a feature request. :)

In the past, a static route was required for remote sysloging to a syslog
server over a IPsec VPN. In recent versions of m0n0wall you added a check box
"Bind to LAN interface only" on the log settings tab which alleviated the need
for the static route.

I just ran across a similar situation where we have remote sites connected via
IPsec VPNs and need them to use our central DNS server for systems in our domain.

Setting up the domain override at a remote site to point at our central dns
server does not work unless we add the static route like we had to do with
sysloging in the past.

Do you think this is fixable within the dnsmasq integration of m0n0wall, or
will we be required to keep a static route when using the domain override
feature at remote sites?

Thanks!

--
Bill Arlofski
Reverse Polarity, LLC

Register DHCP leases in DNS forwarder in 1.8b491

James L. Lauser — 2012-02-09T02:49:17

Hi.

I recently upgraded my m0n0 instance to 1.8b491 (the latest at the time),
and I noticed that the "Register DHCP leases in DNS forwarder" feature
seems to have stopped working. I checked all of the settings, even tried
unsetting and resetting them, but nothing seems to fix it. None of the
notes for 492-496 referenced DNS or DHCP, so I didn't bother trying to
upgrade yet.

The DNS server is definitely running, and other statically configured
aliases are being returned, but certain parts of my network depend on these
dynamic assignments to work correctly. Any suggestions would be appreciated.

IDE flash modules / sd-ram for sale.

YvesDM — 2012-02-07T16:56:51

Hi m0n0 brothers :-)

We've phased out all our pc driven hardware and for this reason have lots
of Transcend 32MB / 64MB IDE flash modules for sale.
Like these: http://www.logicsupply.com/products/t512mdom40vs , but all 32
or 64MB, which is more then enough for your monowall image.
They were all taken from working systems, we will put a default m0n0wall
version on it if you like. Price 5 euro + shipping.
We also have lots of sd-ram modules of 64MB,128MB & 256MB. If anyone is
interested, let me know.

kind regards
Yves

Can't obtain ipv6 over ppp

Peter Teunissen — 2012-02-06T22:18:43

Hi All,


I've got a curious problem. I've got ftth, with ipv6. The connection is over a vlan with pppoe. This works fine for ipv4 but I can't get ipv6 to work. It worked once, but after a reboot I can't get it to obtain it's ipv6 subnet anymore. There are RA's on the pop interface (ng0) but nothing happens, it only creates a self assigned ipv6 on the wan, but theres on ipv6 traffic to the wan and no /64. 


Situation:

- Using PPPoE over fiber. m0n0wall is directly connected to the FTU
- Internally IPv6 is working fine
- ISP delivers routed IPv6 /48 subnet and sends RA's to WAN interface
- Using setup below:

  a. At first IPv4 works, IPv6 doesn't
  b. When checked, net.inet6.ip6.accept_rtadv = 0
  c. changed to net.inet6.ip6.accept_rtadv = 1 and then m0n0wall did set IPv6
     address for the WAN interface and DNS servers
  d. after reboot, IPv6 on WAN obviously was lost
  e. setting net.inet6.ip6.accept_rtadv = 1 again didn't change anything:
    
- Now the m0n0wall logs the RA's on the WAN interface, but

VMware + Monowall = FTP not working

Joe Cavaliere — 2012-02-06T18:22:50

I have 2 identical setups.

1) Physical machine running monowall 1.33
2) VMware Image running monowall 1.33

Note that the configurations are identical. This is not a PASV or ACTIVE
FTP problem.

The problem I have is when trying to access an FTP server OUTSIDE my
network with the VMWARE image.
CommandLine FTP or any FTP client says  "connected" but locks there, the
welcome login screen never appears and eventually times out and
disconnects.
PASV and ACTIVE setups don't change a thing.

When I try this on the physical machine it works.

I've scoured the internet for a solution for the past year (i've attempted
finding a solution several times before with no success. )
The problem exists only when trying to access FTP through Monowall on a
VMWARE image.

- I can successfully connect to FTP on a  Virtual Machine bypassing Monowall
- I can successfully connect to FTP on a physical machine going through
Monowall
- I CANNOT connect to FTP on a Virtual Machine going through Monowall.

Hopefully some one has come a

DHCP Relay and DHCP server at the same time.

Ulrik Lunddahl — 2012-02-01T09:40:01

Hi Everyone!

Today i had the joy of not knowing what was going on my network...:)

My setup is with 4 physical interfaces, WAN (static), LAN (Servers), OPT1 (Client PCs), OPT2 (IT Equipment)

I have a Windows DHCP server on the LAN subnet, and is using DHCP Relay on the OPT1 interface to Relay DHCP request to the DHCP server, this has been working for quite some time, no problems at all.

Yesterday I enabled the DHCP server on the OPT2 interface, most equipment is switches, UPS'es and Remote Management Cards for server, so thay have static IP addresses, but when I bring my notebook or install new equipment I would be nice to have a DHCP service on this subnet/VLAN, so I enabled it.

It was not working, as in, I did not get an IP address on my notebook as expected, so I wrote it on the tofix list and went home.

This morning clients on the OPT1 interface complained about lost network connectivity due to missing DHCP service, the DHCP server was fine, so I went on an disabled the DHCP server on the OPT2 inter

Strange traceroute behaviour

Rennhard Marc (rema — 2012-01-28T15:40:58

Dear all

(I've seen some earlier posts about problems with doing a traceroute through m0n0wall, but couldn't find a solution.)

I'm having problems when using traceroute from my internal network to host in the Internet. My setting of the m0n0wall box (v 1.32) is as follows:

LAN: 10.0.0.0/24
DMZ: 10.0.1.0/24
WAN : 10.0.10.0/24

The next hop after the m0n0wall box towards the Internet is the router I got from the ISP, it has IP address 10.0.10.1. Both the m0n0wall and that router perform NAT.

I'm using traceroute with the -I option (using ICMP) as UDP does not appear to work at all (I get only an answer from the m0n0wall box in that case).

When doing a traceroute to a host in the DMZ, it works well:

$ traceroute -I 10.0.1.2
traceroute to 10.0.1.2 (10.0.1.2), 64 hops max, 72 byte packets
1  10.0.0.1 (10.0.0.1)  1.840 ms  0.327 ms  0.402 ms
2  10.0.1.2 (10.0.1.2)  0.401 ms  0.355 ms  0.328 ms

When doing a traceroute to the ISP router, it also works:

$ traceroute -I 10.0.10.1
traceroute to 10.0.10.1 (10.0.

IPv6 Tunnelbroker

Jakob Schwienbacher — 2012-01-27T16:29:43

Hello List,

I have m0n0wall 1.33 running with dynamic IP PPPoE. I have IPv6
running with tunnelbroker.net and everything works just fine.
Now to the problem. The IPv4 address of the WAN connection changes
every day/week/month even when there is power loss of the monowall or
the broadband connection gets droped by some reason. So the IPv6
connection isn't working anymore because the tunnelbroker.net doesn't
know my "new" dynamic IP. So every time my WAN IP changes i have tu
run a authentication URL on a machine to update my tunnel endpoint.

Is there a way to implement a script/command (wget + authentication
url of tunnelbroker.net) in monowall after every PPPoE negotiaion? I
suppose there should be already a script that handles dyndns
authentication.

Thanks a lot!

Regards

Jakob