[ previous ] [ next ] [ threads ]
 
 From:  Jesse Guardiani <jesse at wingnet dot net>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: Re: Multiple PPPoE sessions to ISP
 Date:  Mon, 22 Nov 2004 01:27:44 -0500 
Henning Wangerin wrote:

> On Sat, 2004-11-20 at 20:58, Jesse Guardiani wrote:
>> Henning Wangerin wrote:
>> 
>> > I need to handle at least two PPPoE sessions simultaniusly, as I need
>> > at least two IPs.
>> 
>>  You know that you can bind multiple IPs to the WAN interface via the
>> NAT -> Server NAT feature, right?
> 
> Yeah, but that don't help on getting another public IP, as they're
> handed out by the PPPoE link, or am I wrong here?

No, they're not "handed out" by the PPPoE link. Rather, you have to
have a subnet routed TO your PPPoE link via the upstream router.

One thing I learned during my quest to get m0n0wall set up with a fully
functional DMZ is that PPPoE is not capable of specifying a netmask. So
you will never want to bridge with a PPPoE WAN interface because PPPoE
is only capable of assigning one static IP. If you need a subnet routed,
then that's OK, and it works, but you won't ever see anything other than a
255.255.255.255 netmask on your PPPoE interface.


>> I do this currently to enable a separation
>> between my private LAN and my public DMZ. All NAT rules go through a
>> secondary IP bound to the WAN interface, while DMZ traffic passes through
>> the default IP assigned directly to the PPPoE link.
> 
> I don't get your setup. DO you have a sketch of it?

Yeah, on my whiteboard in my office. :) Here, let's see if we can draw it
in ASCII:


Cisco 2600
    |
    +-> ADSL ATM Circuit
              |
              +-> WAN (m0n0wall) [int.wingnet.net]  
                        |
                        +-> LAN (m0n0wall) [192.168.1.1/24]
                        |
                        +-> DMZ (m0n0wall) [216.64.103.225/29]


1.) I have bound an additional public IP to the WAN interface via
    "Server NAT".

2.) I have "Advanced Outgoing NAT" turned ON, and I have defined
    a rule for the 192.168.1.1/24 network. However, instead of
    leaving the "Target" field blank, I have specified the IP I
    bound to the WAN interface in step #1, above.

    I have *NOT* defined a NAT rule of any kind for the DMZ
    network. This allows traffic to pass through the WAN interface
    to the DMZ as normal routed traffic, instead of being NAT'd.
    See the following FAQ for my inspiration:

        http://m0n0.ch/wall/docbook/faq-ipalias.html

3.) For any needed "Inbound NAT" rules from WAN -> LAN, I specify
    the address created in step #1, above, for the "External Address"
    field.

This effectively gives me a wide open, totally NAT-free DMZ, while
still retaining a NAT'd LAN, complete with Inbound NAT rules.

I could have just skipped step #1 and used the default WAN IP for
all outbound and inbound NAT rules, but then any rules I created
would have BLOCKED access to the corresponding ports on the DMZ.

For example, if I didn't perform step #1, and created an inbound
port 80 rule to a private IP on the LAN, then any traffic to
216.64.103.226 port 80 would also be redirected to that same
private IP on the LAN. The above dual-IP WAN setup avoids this
problem.

I hope that makes sense. Also, if anyone sees any security problems
with my setup, please speak up. I didn't go to school for this. :)
I just fiddled around with it until I got it working.

-- 
Jesse Guardiani, Systems Administrator
WingNET Internet Services,
P.O. Box 2605 // Cleveland, TN 37320-2605
423-559-LINK (v)  423-559-5145 (f)
http://www.wingnet.net