[ previous ] [ next ] [ threads ]
 
 From:  "bad trip" <craps at mail dot com>
 To:  jesse at wingnet dot net
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Re: Pinging DMZ from LAN ?
 Date:  Tue, 07 Dec 2004 11:17:58 -0500
----- Original Message -----
From: "Jesse Guardiani" <jesse at wingnet dot net>
To: m0n0wall at lists dot m0n0 dot ch
Subject: [m0n0wall] Re: Pinging DMZ from LAN ?
Date: Tue, 07 Dec 2004 10:30:21 -0500

> 
> bad trip wrote:
> 
> > hi,
> >
> > i'm running m0n0wall 1.1  and i have the following config :
> >
> >
> >      DMZ (opt1 : 192.168.101.0/24)
> >        |
> >        |
> >        | 192.168.101.254
> > m0n0wall----------------INTERNET (WAN)
> >        |192.168.0.254
> >        |
> >        |
> >      LAN (LAN : 192.168.0.0/24)
> >
> > I have a computer in DMZ which is 192.168.101.1
> > I have a computer in LAN which is 192.168.0.1
> > i would like to be able to telnet/ping the DMZ computer.
> > I added a static routes :
> >      - Interface : LAN
> >      - Destination network : 192.168.0.0/24
> >      - Gateway : 192.168.101.254
> >
> > I have no ping reply from the dmz computer ...
> > The firewall rules on opt1 and LAN are set to let pass everything to
> > anywhe= re.
> >
> > any idea on what's wrong ?
> 
> First of all, that's not a true DMZ. True DMZs have public
> IPs. Are you performing 1:1 NAT to the DMZ interface?
> 

thanks for your answer;
Yeah that's not a true DMZ. I just have one public IP on the WAN interface.
I'm not performing 1:1 NAT to the DMZ interface.
Yet, i'm just forwarding some external ports to the DMZ computer.

I assume the following hints you gave me are available if
I have a public IP on my DMZ, right ?

> You shouldn't need static routes for a true DMZ (with
> public IPs). Just turn on Advanced Outbound NAT with NO
> RULES for the DMZ interface. Add a LAN -> WAN outbound
> NAT rule, and a LAN -> DMZ outbound NAT rule. m0n0wall
> adds routing automatically.
> 
> You'll also have to add filter rules stating that the LAN
> can access anything it wants using any protocol and
> any port range.
> 

-- 
___________________________________________________________
Sign-up for Ads Free at Mail.com
http://promo.mail.com/adsfreejump.htm