[ previous ] [ next ] [ threads ]
 
 From:  Jesse Guardiani <jesse at wingnet dot net>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: Pinging DMZ from LAN ?
 Date:  Tue, 07 Dec 2004 10:30:21 -0500 
bad trip wrote:

> hi,
> 
> i'm running m0n0wall 1.1  and i have the following config :
> 
> 
>      DMZ (opt1 : 192.168.101.0/24)
>        |
>        |
>        | 192.168.101.254
> m0n0wall----------------INTERNET (WAN)
>        |192.168.0.254
>        |
>        |
>      LAN (LAN : 192.168.0.0/24)
> 
> I have a computer in DMZ which is 192.168.101.1
> I have a computer in LAN which is 192.168.0.1
> i would like to be able to telnet/ping the DMZ computer.
> I added a static routes :
>      - Interface : LAN
>      - Destination network : 192.168.0.0/24
>      - Gateway : 192.168.101.254
> 
> I have no ping reply from the dmz computer ...
> The firewall rules on opt1 and LAN are set to let pass everything to
> anywhe= re.
> 
> any idea on what's wrong ?

First of all, that's not a true DMZ. True DMZs have public
IPs. Are you performing 1:1 NAT to the DMZ interface?

You shouldn't need static routes for a true DMZ (with
public IPs). Just turn on Advanced Outbound NAT with NO
RULES for the DMZ interface. Add a LAN -> WAN outbound
NAT rule, and a LAN -> DMZ outbound NAT rule. m0n0wall
adds routing automatically.

You'll also have to add filter rules stating that the LAN
can access anything it wants using any protocol and
any port range.

-- 
Jesse Guardiani, Systems Administrator
WingNET Internet Services,
P.O. Box 2605 // Cleveland, TN 37320-2605
423-559-LINK (v)  423-559-5145 (f)
http://www.wingnet.net