4

I have two LAN subnets that I need to link together they are 192.168.4.0/24 and 192.168.5.0/24

There is a m0n0wall running on 192.168.4.1. It's LAN connection goes out to our network switch, and it's WAN port goes out to our ADSL modem. WAN is connected via PPPoE.

The 192.168.4.0 subnet contains all of our office workstations. The 192.168.5.0 subnet contains development servers and test machines that need to obtain internet access and be "managed" by computers on the 192.168.4.0 subnet, but need to be on their own subnet as well.

I have a Draytek 2820N configured on 192.168.5.1 with it's WAN2 port configured as 192.168.4.25 and a default gateway of 192.168.4.1. Machines on the 5.0 subnet can connect to the internet via the m0n0wall just fine.

I configured a static route on the m0n0wall LAN interface, Network 192.168.5.0/24 and Gateway 192.168.4.25.

Machines on the 5.0 subnet can ping machines on the 4.0 network but the reverse does not work. I configured a new firewall rule on the m0n0wall that allows any traffic on the LAN interface with a source IP of 192.168.4.25 to be allowed. The DrayTek firewall is currently configured to pass all traffic regardless.

When I try to ping a machine in the 5.0 subnet from 4.0 I see this in my m0n0wall log:

BLOCK 14:45:27.888157 LAN 192.168.4.25 192.168.4.37, type echoreply/0 ICMP

So the reply is being sent from the 5.0 subnet but is not being allowed to reach my workstation because the firewall is blocking it. Why is the firewall blocking it ?

I hope the explanation of my network is clear, please ask if you require further clarification.

Thank you.

SnAzBaZ
  • 203
  • 2
  • 6
  • 11
  • I'm not familiar with the Draytek router. Is it possible that it's NAT/MASQUERADE-ing the 5.0 network to the 4.0 network? That might explain why pings from 5.0 to 4.0 work, but not the other way around. – Steven Monday Feb 12 '11 at 16:24
  • Is it possible to add another network port to the monowall router, or does it have a free port available for use? – Flash Jun 04 '12 at 13:14
  • Sounds complicated. A picture would help. Even one made out of ascii art. It sounds like you have two firewalls in play. The draytek and the monowall, is that right? – hookenz Jan 14 '13 at 20:23

1 Answers1

1

If the ICMP packet was sent from 192.168.4.37 to 192.168.5.x and the reply is received from 192.168.4.25 I wonder if this could be considered a spoof. In the m0n0wall advanced settings I notice these 2 options:

  • Spoof Checking blocks packets not sourced from the subnet of the interface the packet was received on
  • Bypass firewall rules for traffic on the same interface

I don't know the inner workings of m0n0wall. But I wonder if there are system firewall rules added that are not actually shown in the rules web interface that may be blocking the echoreply.

Can you goto /exec.php and post the output of command:

ipfw list

This would probably be of help in debugging.

Andy Shinn
  • 4,211
  • 8
  • 40
  • 55