[ previous ] [ next ] [ threads ]
 
 From:  "Jason J. Ellingson" <jason at ellingson dot com>
 To:  "'Jason Allen'" <jallen at effortlesse dot com>, <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] m0n0wall @ colocation facility
 Date:  Mon, 6 Dec 2004 07:37:00 -0600
I run 8 servers at a co-location facility with m0n0wall protecting them.

Yes, you can do what you want.  It is called filtered bridge mode.  I do it
myself.

You will still need to give one IP to m0n0wall, but you will NOT need to
touch a thing on real world IPs any of the servers.  The IP for m0n0wall is
just so you can actually contact the m0n0wall to make changes to your
filters, and such.

To do it, you will need *3* NICs in the box running m0n0.  Then "bridge" the
OPT1 interface to the WAN.  Then under "advanced" enable "filtered bridge
mode".

Voila!

Keep in mind that all your servers and such are on the OPT1 interface.  BUT,
all PPTP connections will show up on the LAN interface and therefore will
NOT be able to talk to your servers.  So, to get around that, you will need
to connect both the LAN and OPT1 interfaces into the same switch and add a
LAN IP to all your servers.

Kinda a pain that way... but in retrospect, it was a good thing after all...
All my servers have two NICs... so one gets a WAN (real world) IP and one
gets a LAN (private) IP.  If you have only one NIC, that's okay... just give
both IPs to the same NIC.

I match my LAN IPs to the WAN IPs the servers are using...

example: my main mail server is 209.32.147.34 and its LAN IP is
192.168.88.34  (note how both are .34)

Anyhow... runs GREAT and does a fabulous job of filtering and allowing me to
PPTP in to do what I want.  I also set up IPSEC between my office
(192.168.1.1) and the colocation (192.168.88.1)... again... remember, that
IPSEC (like PPTP) show up on the LAN port under the private IP address and
CANNOT see your real-world IPs on the OPT1 port that were bridged to the WAN
port... so it travels to the servers via their private IPs.

I know... looks funny having both a LAN and OPT1 port connected to same
switch... but hey!  It works.  Just don't accidentally connect the WAN port
to the switch as well... then you've got a problem!  Heh.

PS: Make sure you understand routing.  All the servers should use their real
world IP's gateway for default route and then add a route to each server for
any private IPs that should go over the private network (PPTP, IPSEC)...
example:  Since I access my servers from 192.168.88.x, 192.168.1.x,
192.168.10.1, 192.168.0.x IP blocks, I have routes for those IPs on each
server.  Otherwise, it'll try to send them over the WAN IP instead of the
LAN IP.
------------------------------------------------------------
Jason J Ellingson
Technical Consultant

615.301.1682 : nashville
612.605.1132 : minneapolis

www.ellingson.com
jason at ellingson dot com

-----Original Message-----
From: Jason Allen [mailto:jallen at effortlesse dot com] 
Sent: Monday, December 06, 2004 2:01 AM
To: m0n0wall at lists dot m0n0 dot ch
Subject: [m0n0wall] m0n0wall @ colocation facility

I have a question about m0n0wall. I intend to use it at our colocation 
facility to provide firewall and VPN services for our network. My 
question is this: I have 128 IP addresses assigned to me by my colo 
facility. Those IP's are used on 3 different servers that I want to sit 
behind the firewall. Ideally I would like not to use NAT, and just keep 
the IP's configured the way they are on the servers, i.e. not to have 
internal IP's on the servers at all. Is this possible? I think it may be 
from what I've read using Advanced Outbound NAT, although I'm not sure. 
So basically I would like the firewall to just be a "passthrough" and 
just have the firewall'ing functions work to drop traffic I haven't 
authorized.

If this will work this way, would my colo facility have to add anything 
into their routers to make it work? Also, would I need to change 
anything on the servers at all, like the default gateway?

Any help would be appreciated, thank you!


---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch