Okay, I've given your suggestion a try, which makes perfect sense.
However it didn't work :(
I'm using the latest beta version, 1.2b3. I hooked up the m0n0wall
according to your instruction, gave the WAN port it's own IP, and
bridged OPT1 to the WAN. I started out by testing using the built in
ping utility to see if I could ping out to the world, and I could, I
tried the gateway and my other servers, no problems with pings. Then I
hooked my laptop to OPT1, and assigned it an IP from my colocation
facility. From the laptop I couldn't ping anything, the m0n0wall, the
At that point I shut off the "Filtered Bridge Mode" option, which I
assumed should have then let ANY traffic pass through to the OPT1
interface, regardless of my firewall settings. Still nothing at that
point. I also tried re-enabling the "Filtered Bridge Mode" and setting a
firewall rule to pass all traffic, still no luck.
I went so far as to reset everything back to factory presets, and try
again, and still nothing. Should I try the non-beta version? Any
suggestions? Everyone's help is greatly appreciated, especially yours,
Jason J. Ellingson wrote:
>I run 8 servers at a co-location facility with m0n0wall protecting them.
>Yes, you can do what you want. It is called filtered bridge mode. I do it
>You will still need to give one IP to m0n0wall, but you will NOT need to
>touch a thing on real world IPs any of the servers. The IP for m0n0wall is
>just so you can actually contact the m0n0wall to make changes to your
>filters, and such.
>To do it, you will need *3* NICs in the box running m0n0. Then "bridge" the
>OPT1 interface to the WAN. Then under "advanced" enable "filtered bridge
>Keep in mind that all your servers and such are on the OPT1 interface. BUT,
>all PPTP connections will show up on the LAN interface and therefore will
>NOT be able to talk to your servers. So, to get around that, you will need
>to connect both the LAN and OPT1 interfaces into the same switch and add a
>LAN IP to all your servers.
>Kinda a pain that way... but in retrospect, it was a good thing after all...
>All my servers have two NICs... so one gets a WAN (real world) IP and one
>gets a LAN (private) IP. If you have only one NIC, that's okay... just give
>both IPs to the same NIC.
>I match my LAN IPs to the WAN IPs the servers are using...
>example: my main mail server is 18.104.22.168 and its LAN IP is
>192.168.88.34 (note how both are .34)
>Anyhow... runs GREAT and does a fabulous job of filtering and allowing me to
>PPTP in to do what I want. I also set up IPSEC between my office
>(192.168.1.1) and the colocation (192.168.88.1)... again... remember, that
>IPSEC (like PPTP) show up on the LAN port under the private IP address and
>CANNOT see your real-world IPs on the OPT1 port that were bridged to the WAN
>port... so it travels to the servers via their private IPs.
>I know... looks funny having both a LAN and OPT1 port connected to same
>switch... but hey! It works. Just don't accidentally connect the WAN port
>to the switch as well... then you've got a problem! Heh.
>PS: Make sure you understand routing. All the servers should use their real
>world IP's gateway for default route and then add a route to each server for
>any private IPs that should go over the private network (PPTP, IPSEC)...
>example: Since I access my servers from 192.168.88.x, 192.168.1.x,
>192.168.10.1, 192.168.0.x IP blocks, I have routes for those IPs on each
>server. Otherwise, it'll try to send them over the WAN IP instead of the
>Jason J Ellingson
>615.301.1682 : nashville
>612.605.1132 : minneapolis
>jason at ellingson dot com
>From: Jason Allen [mailto:jallen at effortlesse dot com]
>Sent: Monday, December 06, 2004 2:01 AM
>To: m0n0wall at lists dot m0n0 dot ch
>Subject: [m0n0wall] m0n0wall @ colocation facility
>I have a question about m0n0wall. I intend to use it at our colocation
>facility to provide firewall and VPN services for our network. My
>question is this: I have 128 IP addresses assigned to me by my colo
>facility. Those IP's are used on 3 different servers that I want to sit
>behind the firewall. Ideally I would like not to use NAT, and just keep
>the IP's configured the way they are on the servers, i.e. not to have
>internal IP's on the servers at all. Is this possible? I think it may be
>from what I've read using Advanced Outbound NAT, although I'm not sure.
>So basically I would like the firewall to just be a "passthrough" and
>just have the firewall'ing functions work to drop traffic I haven't
>If this will work this way, would my colo facility have to add anything
>into their routers to make it work? Also, would I need to change
>anything on the servers at all, like the default gateway?
>Any help would be appreciated, thank you!
>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch