Jason J. Ellingson wrote:
> I run 8 servers at a co-location facility with m0n0wall protecting them.
> Yes, you can do what you want. It is called filtered bridge mode. I do it
> You will still need to give one IP to m0n0wall, but you will NOT need to
> touch a thing on real world IPs any of the servers. The IP for m0n0wall is
> just so you can actually contact the m0n0wall to make changes to your
> filters, and such.
> To do it, you will need *3* NICs in the box running m0n0. Then "bridge" the
> OPT1 interface to the WAN. Then under "advanced" enable "filtered bridge
As I sent offlist to Jason Allen - I'm doing this but I'm just using a
WAN and LAN interface.
My WAN interface has a /30 with one IP on my WAN card, and the other IP
in the /30 is the gateway for my upstream.
My LAN interface has a public /24 and I'm using .1 as the LAN IP
address/gateway and then all my servers are numbered out of this. I went
to 1:1 NAT and added my range there, then went to the firewall rules and
did the same allow all as with the default LAN rule.
Works very well, and then for servers I do want to filter stuff (those
pesky Windows machines *kick*), I add rules above my allow all rule to
catch traffic for those specific IP's. I have nothing in my Inbound NAT