Re: [m0n0wall] m0n0wall @ colocation facility

From:	Jason Allen <jallen at effortlesse dot com>
To:	"Jason J. Ellingson" <jason at ellingson dot com>
Cc:	m0n0wall at lists dot m0n0 dot ch
Subject:	Re: [m0n0wall] m0n0wall @ colocation facility
Date:	Wed, 08 Dec 2004 00:10:58 -0800
Okay, I've given your suggestion a try, which makes perfect sense. 
However it didn't work :(

I'm using the latest beta version, 1.2b3. I hooked up the m0n0wall 
according to your instruction, gave the WAN port it's own IP, and 
bridged OPT1 to the WAN. I started out by testing using the built in 
ping utility to see if I could ping out to the world, and I could, I 
tried the gateway and my other servers, no problems with pings. Then I 
hooked my laptop to OPT1, and assigned it an IP from my colocation 
facility. From the laptop I couldn't ping anything, the m0n0wall, the 
gateway, nothing.

At that point I shut off the "Filtered Bridge Mode" option, which I 
assumed should have then let ANY traffic pass through to the OPT1 
interface, regardless of my firewall settings. Still nothing at that 
point. I also tried re-enabling the "Filtered Bridge Mode" and setting a 
firewall rule to pass all traffic, still no luck.

I went so far as to reset everything back to factory presets, and try 
again, and still nothing. Should I try the non-beta version? Any 
suggestions? Everyone's help is greatly appreciated, especially yours, 
Jason. Thanks!

Jason J. Ellingson wrote:

>I run 8 servers at a co-location facility with m0n0wall protecting them.
>
>Yes, you can do what you want.  It is called filtered bridge mode.  I do it
>myself.
>
>You will still need to give one IP to m0n0wall, but you will NOT need to
>touch a thing on real world IPs any of the servers.  The IP for m0n0wall is
>just so you can actually contact the m0n0wall to make changes to your
>filters, and such.
>
>To do it, you will need *3* NICs in the box running m0n0.  Then "bridge" the
>OPT1 interface to the WAN.  Then under "advanced" enable "filtered bridge
>mode".
>
>Voila!
>
>Keep in mind that all your servers and such are on the OPT1 interface.  BUT,
>all PPTP connections will show up on the LAN interface and therefore will
>NOT be able to talk to your servers.  So, to get around that, you will need
>to connect both the LAN and OPT1 interfaces into the same switch and add a
>LAN IP to all your servers.
>
>Kinda a pain that way... but in retrospect, it was a good thing after all...
>All my servers have two NICs... so one gets a WAN (real world) IP and one
>gets a LAN (private) IP.  If you have only one NIC, that's okay... just give
>both IPs to the same NIC.
>
>I match my LAN IPs to the WAN IPs the servers are using...
>
>example: my main mail server is 209.32.147.34 and its LAN IP is
>192.168.88.34  (note how both are .34)
>
>Anyhow... runs GREAT and does a fabulous job of filtering and allowing me to
>PPTP in to do what I want.  I also set up IPSEC between my office
>(192.168.1.1) and the colocation (192.168.88.1)... again... remember, that
>IPSEC (like PPTP) show up on the LAN port under the private IP address and
>CANNOT see your real-world IPs on the OPT1 port that were bridged to the WAN
>port... so it travels to the servers via their private IPs.
>
>I know... looks funny having both a LAN and OPT1 port connected to same
>switch... but hey!  It works.  Just don't accidentally connect the WAN port
>to the switch as well... then you've got a problem!  Heh.
>
>PS: Make sure you understand routing.  All the servers should use their real
>world IP's gateway for default route and then add a route to each server for
>any private IPs that should go over the private network (PPTP, IPSEC)...
>example:  Since I access my servers from 192.168.88.x, 192.168.1.x,
>192.168.10.1, 192.168.0.x IP blocks, I have routes for those IPs on each
>server.  Otherwise, it'll try to send them over the WAN IP instead of the
>LAN IP.
>------------------------------------------------------------
>Jason J Ellingson
>Technical Consultant
>
>615.301.1682 : nashville
>612.605.1132 : minneapolis
>
>www.ellingson.com
>jason at ellingson dot com
>
>-----Original Message-----
>From: Jason Allen [mailto:jallen at effortlesse dot com] 
>Sent: Monday, December 06, 2004 2:01 AM
>To: m0n0wall at lists dot m0n0 dot ch
>Subject: [m0n0wall] m0n0wall @ colocation facility
>
>I have a question about m0n0wall. I intend to use it at our colocation 
>facility to provide firewall and VPN services for our network. My 
>question is this: I have 128 IP addresses assigned to me by my colo 
>facility. Those IP's are used on 3 different servers that I want to sit 
>behind the firewall. Ideally I would like not to use NAT, and just keep 
>the IP's configured the way they are on the servers, i.e. not to have 
>internal IP's on the servers at all. Is this possible? I think it may be 
>from what I've read using Advanced Outbound NAT, although I'm not sure. 
>So basically I would like the firewall to just be a "passthrough" and 
>just have the firewall'ing functions work to drop traffic I haven't 
>authorized.
>
>If this will work this way, would my colo facility have to add anything 
>into their routers to make it work? Also, would I need to change 
>anything on the servers at all, like the default gateway?
>
>Any help would be appreciated, thank you!
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>
>  
>