Jason J. Ellingson wrote:
> I run 8 servers at a co-location facility with m0n0wall protecting them.
> 
> Yes, you can do what you want.  It is called filtered bridge mode.  I do it
> myself.
> 
> You will still need to give one IP to m0n0wall, but you will NOT need to
> touch a thing on real world IPs any of the servers.  The IP for m0n0wall is
> just so you can actually contact the m0n0wall to make changes to your
> filters, and such.
> 
> To do it, you will need *3* NICs in the box running m0n0.  Then "bridge" the
> OPT1 interface to the WAN.  Then under "advanced" enable "filtered bridge
> mode".
> 

As I sent offlist to Jason Allen - I'm doing this but I'm just using a 
WAN and LAN interface.

My WAN interface has a /30 with one IP on my WAN card, and the other IP 
in the /30 is the gateway for my upstream.

My LAN interface has a public /24 and I'm using .1 as the LAN IP 
address/gateway and then all my servers are numbered out of this. I went 
to 1:1 NAT and added my range there, then went to the firewall rules and 
did the same allow all as with the default LAN rule.

Works very well, and then for servers I do want to filter stuff (those 
pesky Windows machines *kick*), I add rules above my allow all rule to 
catch traffic for those specific IP's. I have nothing in my Inbound NAT 
rules.