Re: [m0n0wall] Can't route to DMZ from WAN

From:	Chris Buechler <cbuechler at gmail dot com>
To:	Jeffrey Goldberg <jeffrey at goldmark dot org>
Cc:	Monowall Mailing List <m0n0wall at lists dot m0n0 dot ch>
Subject:	Re: [m0n0wall] Can't route to DMZ from WAN
Date:	Thu, 10 Feb 2005 18:05:28 -0500

On Tue, 8 Feb 2005 13:43:40 -0800, Jeffrey Goldberg
<jeffrey at goldmark dot org> wrote:
>
> I have a machine set up at xxx.xxx.xxx.9 using .8 as its default
> router.  Again, it can reach both WAN and LAN, and LAN can reach it,
> but WAN can't reach it.  

1 - Have you enabled advanced NAT so the DMZ hosts won't get NAT'ed on
the way out?  That would also NAT outbound return traffic, so this
would definitely cause the problem you're describing.  Though in that
instance you should see dropped traffic in the logs.
2 - Possibly need Proxy ARP?  (I'd guess not in this situation)
3 - Possibly the router holding on to some previous MAC address in its
ARP cache for those DMZ IP's?  Ciscos cache for 4 hours by default.

-Chris