|
||||||||
I run 8 servers at a co-location facility with m0n0wall protecting them. Yes, you can do what you want. It is called filtered bridge mode. I do it myself. You will still need to give one IP to m0n0wall, but you will NOT need to touch a thing on real world IPs any of the servers. The IP for m0n0wall is just so you can actually contact the m0n0wall to make changes to your filters, and such. To do it, you will need *3* NICs in the box running m0n0. Then "bridge" the OPT1 interface to the WAN. Then under "advanced" enable "filtered bridge mode". Voila! Keep in mind that all your servers and such are on the OPT1 interface. BUT, all PPTP connections will show up on the LAN interface and therefore will NOT be able to talk to your servers. So, to get around that, you will need to connect both the LAN and OPT1 interfaces into the same switch and add a LAN IP to all your servers. Kinda a pain that way... but in retrospect, it was a good thing after all... All my servers have two NICs... so one gets a WAN (real world) IP and one gets a LAN (private) IP. If you have only one NIC, that's okay... just give both IPs to the same NIC. I match my LAN IPs to the WAN IPs the servers are using... example: my main mail server is 209.32.147.34 and its LAN IP is 192.168.88.34 (note how both are .34) Anyhow... runs GREAT and does a fabulous job of filtering and allowing me to PPTP in to do what I want. I also set up IPSEC between my office (192.168.1.1) and the colocation (192.168.88.1)... again... remember, that IPSEC (like PPTP) show up on the LAN port under the private IP address and CANNOT see your real-world IPs on the OPT1 port that were bridged to the WAN port... so it travels to the servers via their private IPs. I know... looks funny having both a LAN and OPT1 port connected to same switch... but hey! It works. Just don't accidentally connect the WAN port to the switch as well... then you've got a problem! Heh. PS: Make sure you understand routing. All the servers should use their real world IP's gateway for default route and then add a route to each server for any private IPs that should go over the private network (PPTP, IPSEC)... example: Since I access my servers from 192.168.88.x, 192.168.1.x, 192.168.10.1, 192.168.0.x IP blocks, I have routes for those IPs on each server. Otherwise, it'll try to send them over the WAN IP instead of the LAN IP. ------------------------------------------------------------ Jason J Ellingson Technical Consultant 615.301.1682 : nashville 612.605.1132 : minneapolis www.ellingson.com jason at ellingson dot com -----Original Message----- From: Jason Allen [mailto:jallen at effortlesse dot com] Sent: Monday, December 06, 2004 2:01 AM To: m0n0wall at lists dot m0n0 dot ch Subject: [m0n0wall] m0n0wall @ colocation facility I have a question about m0n0wall. I intend to use it at our colocation facility to provide firewall and VPN services for our network. My question is this: I have 128 IP addresses assigned to me by my colo facility. Those IP's are used on 3 different servers that I want to sit behind the firewall. Ideally I would like not to use NAT, and just keep the IP's configured the way they are on the servers, i.e. not to have internal IP's on the servers at all. Is this possible? I think it may be from what I've read using Advanced Outbound NAT, although I'm not sure. So basically I would like the firewall to just be a "passthrough" and just have the firewall'ing functions work to drop traffic I haven't authorized. If this will work this way, would my colo facility have to add anything into their routers to make it work? Also, would I need to change anything on the servers at all, like the default gateway? Any help would be appreciated, thank you! --------------------------------------------------------------------- To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch |