Even though my last question remains unanswered, I'll give it a second
shot and try to find an answer to other problem...
I'm trying to use a m0n0wall in an odd implementation, but I keep on
failing ... maybe m0n0 isn't the right choice ?
- WAN link provided by a Cisco router. m0n0wall's WAN interface
connected to the router via a /30 network (255.255.255.252 mask)
- Standard LAN situation (no problems here). Works as a charm.
- DMZ (opt interface) with several networks (let's say they're all /30's )
- Router has static routes for all of the DMZ networks pointing to the
m0n0wall WAN interface
- NAT used only for the LAN internet access.
- No static routes nor proxy arp entries.
Each server on my DMZ has to have a gateway (obvious ..). Without the
m0n0wall, it would be the cisco router (via "secondary" ip addresses on
the fastethernet interface) that would do the task. With m0n0wall, it
has to be the DMZ interface that must assume the IP address of each of
the needed gateways. Assuming I have, for example, 3 x /30 networks, the
DMZ interface should have 3 IP addresses.
Now let's assume I gave the DMZ interface a "bogus" IP address of
10.10.10.1 and then, using the "exec.php", added the needed "alias" to
make the DMZ the default gateway for my machines:
1: no routing. I thought that m0n0wall had ipv4 routing enabled by
default, but it doesn't seem so. Added a static route for all 3 networks
using the m0n0wall WAN interface's IP address as the next hop seemed to
solve the problem, but pinging one of the DMZ machines from the "world"
resulted in the response source being the WAN interface IP. Not good.
2: no traffic originating on the DMZ. Even allowing any -> DMZ and DMZ
-> any, any port, the traffic originated on the DMZ (dns queries, for
example) is blocked by the default "catchall block rule" on the DMZ
interface. It seems that the traffic with DMZ as the destination
(originated in the "world") goes through, though.
Am I missing something blatantly obvious here or isn't m0n0wall the
right choice in this case ?
Is it possible to implement this kind of scenario with m0n0wall or am I
just wasting my time ?
Best regards and TIA,
paulo dot pinto at interacesso dot pt
+351 96 9830611