[ previous ] [ next ] [ threads ]
 
 From:  Paulo Pinto <paulo dot pinto at interacesso dot pt>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Is it m0n0wall for me ? DMZ with multiple subnets
 Date:  Thu, 09 Dec 2004 14:20:33 +0000
Hello all.

Even though my last question remains unanswered, I'll give it a second 
shot and try to find an answer to other problem...

I'm trying to use a m0n0wall in an odd implementation, but I keep on 
failing ... maybe m0n0 isn't the right choice ?

Scenario:

- WAN link provided by a Cisco router. m0n0wall's WAN interface 
connected to the router via a /30 network (255.255.255.252 mask)
- Standard LAN situation (no problems here). Works as a charm.
- DMZ (opt interface) with several networks (let's say they're all /30's )
- Router has static routes for all of the DMZ networks pointing to the 
m0n0wall WAN interface
- NAT used only for the LAN internet access.
- No static routes nor proxy arp entries.
 
Problems found:

Each server on my DMZ has to have a gateway (obvious ..). Without the 
m0n0wall, it would be the cisco router (via "secondary" ip addresses on 
the fastethernet interface) that would do the task. With m0n0wall, it 
has to be the DMZ interface that must assume the IP address of each of 
the needed gateways. Assuming I have, for example, 3 x /30 networks, the 
DMZ interface should have 3 IP addresses.
Now let's assume I gave the DMZ interface a "bogus" IP address of 
10.10.10.1 and then, using the "exec.php", added the needed "alias" to 
make the DMZ the default  gateway for my machines:

1: no routing. I thought that m0n0wall had ipv4 routing enabled by 
default, but it doesn't seem so. Added a static route for all 3 networks 
using the m0n0wall WAN interface's IP address as the next hop seemed to 
solve the problem, but pinging one of the DMZ machines from the "world" 
resulted in the response source being the WAN interface IP. Not good.

2: no traffic originating on the DMZ. Even allowing any -> DMZ and DMZ 
-> any, any port, the traffic originated on the DMZ (dns queries, for 
example) is blocked by the default "catchall block rule" on the DMZ 
interface. It seems that the traffic with DMZ as the destination 
(originated in the "world") goes through, though.

Am I missing something blatantly obvious here or isn't m0n0wall the 
right choice in this case ?
Is it possible to implement this kind of scenario with m0n0wall or am I 
just wasting my time ?

Best regards and TIA,

-- 
Paulo Pinto
Nortenet/Interacesso
paulo dot pinto at interacesso dot pt
+351 96 9830611
smime.p7s (5.9 KB, application/x-pkcs7-signature)