[ previous ] [ next ] [ threads ]
 From:  =?ISO-8859-1?Q?Thomas_Kolst=F8?= <thomas at kolsto dot no>
 To:  Matt Hohman <mhohman at newheights dot org>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: m0n0wall transparent proxy
 Date:  Wed, 10 Nov 2004 19:45:46 +0100
On Nov 10, 2004, at 7:25 AM, Matt Hohman wrote:

> Thomas,
> 	I'm trying to setup m0n0wall to do transparent proxying based on the 
> message you left on the list. This is our setup  (I hope the Ascii 
> comes out okay)
> t1---------------- m0n0wall ----------  DMZ
> .                                 :                         mail
> voip (asterisk)         :                         web
> 			    LAN---PPTP      proxy (content filtering were a church)
>                                    :
>                             60 Machines
> We are trying to add a Nat->inbound rule but in the drop down box in 
> Inbound under Nat settings it only lists the WAN interface. How can I 
> set it to lan? (I can send a screenshot if I'm not describing the menu 
> accurately)

Seems like m0n0 is deliberately not showing the LAN(nor PPTP for that 
matter) interface in that dropbox. I can't find any good reason for 
this except that this may be a failsafe mechanism preventing admin from 
locking himself out.

This is not a problem in my setup cause I'm using vlans for the 
internal networks and they show up as OPT interfaces.

A quick fix for you would be to attach your LAN network(with the 60 
machines as indicated in ascii) to a OPT interface instead of the 
configured LAN, or if you are up to it hack the config.xml directly to 
reflect your setup.

Note that you will not be able to access the webgui from the network 
you enable transparent proxying for, since all the traffic is 
redirected to your proxy which has no(/should have no) access to your 
internal LAN. So make sure you add an appropriate

Manuel/Developers: It would be nice to have some more fine grained 
control over the rules so that you for example could enable transparent 
proxying for a range of ip's or whatnot. From what I can gather the 
NAT->Inbound page is creating ipnat rdr rules which support this, or am 
I missing something here?

Thomas Kolstø <thomas at kolsto dot no>