[ previous ] [ next ] [ threads ]
 From:  Jesse Guardiani <jesse at wingnet dot net>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: m0n0wall @ colocation facility
 Date:  Mon, 06 Dec 2004 08:39:51 -0500
Jason Allen wrote:

> I have a question about m0n0wall. I intend to use it at our colocation
> facility to provide firewall and VPN services for our network. My
> question is this: I have 128 IP addresses assigned to me by my colo
> facility. Those IP's are used on 3 different servers that I want to sit
> behind the firewall. Ideally I would like not to use NAT, and just keep
> the IP's configured the way they are on the servers, i.e. not to have
> internal IP's on the servers at all. Is this possible? I think it may be
> from what I've read using Advanced Outbound NAT, although I'm not sure.
> So basically I would like the firewall to just be a "passthrough" and
> just have the firewall'ing functions work to drop traffic I haven't
> authorized.

Yes, you can do that. Turn on advanced outbound NAT, and don't add any
advanced outbound NAT rules and NAT will effectively be disabled. This
is called a DMZ. It's typically most useful when you have a LAN interface
on the m0n0wall that needs NAT *and* a public interface that doesn't need
NAT, but you should be able to use it just to block unwanted public traffic.

> If this will work this way, would my colo facility have to add anything
> into their routers to make it work? Also, would I need to change
> anything on the servers at all, like the default gateway?

I think the m0n0wall will need to be the default gateway. Otherwise, if
a router is the default gateway, for example, then traffic will likely
come back in through the router and bypass the m0n0wall. Better to make
everything go through the m0n0wall.

Alternatively, you might be able to set up m0n0wall as a filtering bridge.
In that case, as long as the m0n0wall is physically between the default
gateway and your switch you can still be assured that all traffic will
pass through the m0n0wall, but IP changes probably wouldn't be necessary.
Test it. I haven't used m0n0wall as a filtering bridge yet.

Jesse Guardiani, Systems Administrator
WingNET Internet Services,
P.O. Box 2605 // Cleveland, TN 37320-2605
423-559-LINK (v)  423-559-5145 (f)