[ previous ] [ next ] [ threads ]
 
 From:  Jesse Guardiani <jesse at wingnet dot net>
 To:  "bad trip" <craps at mail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Re: Pinging DMZ from LAN ?
 Date:  Tue, 7 Dec 2004 11:56:23 -0500 
On Tuesday 07 December 2004 11:17 am, bad trip wrote:

[...]

> > First of all, that's not a true DMZ. True DMZs have public
> > IPs. Are you performing 1:1 NAT to the DMZ interface?
> > 
> 
> thanks for your answer;
> Yeah that's not a true DMZ. I just have one public IP on the WAN interface.
> I'm not performing 1:1 NAT to the DMZ interface.
> Yet, i'm just forwarding some external ports to the DMZ computer.
> 
> I assume the following hints you gave me are available if
> I have a public IP on my DMZ, right ?

Correct. However, I *think* m0n0wall will automatically route
between your DMZ and LAN without any additional config. Just
make sure you have rules stating that the DMZ can send ICMP
packets to the LAN and vice versa.

 
> > You shouldn't need static routes for a true DMZ (with
> > public IPs). Just turn on Advanced Outbound NAT with NO
> > RULES for the DMZ interface. Add a LAN -> WAN outbound
> > NAT rule, and a LAN -> DMZ outbound NAT rule. m0n0wall
> > adds routing automatically.
> > 
> > You'll also have to add filter rules stating that the LAN
> > can access anything it wants using any protocol and
> > any port range.

-- 
Jesse Guardiani, Systems Administrator
WingNET Internet Services,
P.O. Box 2605 // Cleveland, TN 37320-2605
423-559-LINK (v)  423-559-5145 (f)
http://www.wingnet.net