[ previous ] [ next ] [ threads ]
 
 From:  Chris Buechler <cbuechler at gmail dot com>
 To:  jesse at wingnet dot net
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Re: Re: M0n0wall v1.2b3 in Bridge Mode
 Date:  Thu, 10 Feb 2005 00:09:05 -0500
On Wed, 09 Feb 2005 01:35:26 -0500, Jesse Guardiani <jesse at wingnet dot net> wrote:
> 
> 
> I've created and tested this setup at least 2 times now. Each config
> takes between an hour and two hours to setup, debug, and test. 

This is why I use the new teams feature in VMware 5 RC.  Makes
replicating this stuff a billion times easier.  A couple clicks and my
test m0n0wall virtual network was setup as needed.

I *could* replicate exactly what you're seeing.  You're not crazy.  ;)
 Antispoofing rules biting us in the ass here as well, though they
shouldn't apply to a bridged setup.

The line doing it is:
block in log quick in lnc2 from !1.1.1.0/24 to any

(1.1.1.0/24 is the subnet of the WAN interface, lnc2 is bridged DMZ interface)

As a work around, add a (fake) static route on the DMZ interface to
the networks behind the bridge that aren't within the WAN subnet.  The
route itself doesn't do anything since it's a bridge, but adding a
route adds exemptions for those networks to the antispoofing rules. 
The reason it was working without an IP on the WAN is because then it
didn't add the antispoofing rules the same way, if at all.

Antispoofing rules shouldn't apply to a bridge though, since you won't
add routes for bridged networks.  I'll send Manuel some better info on
this and hopefully get it resolved in some fashion other than adding
superfluous static routes.

-Chris