Re: [m0n0wall] Can't route to DMZ from WAN

From:	Jeffrey Goldberg <jeffrey at goldmark dot org>
To:	Chris Buechler <cbuechler at gmail dot com>
Cc:	Monowall Mailing List <m0n0wall at lists dot m0n0 dot ch>
Subject:	Re: [m0n0wall] Can't route to DMZ from WAN
Date:	Thu, 10 Feb 2005 20:25:09 -0800

On Feb 10, 2005, at 3:05 PM, Chris Buechler wrote:

> On Tue, 8 Feb 2005 13:43:40 -0800, Jeffrey Goldberg
> <jeffrey at goldmark dot org> wrote:
>>
>> I have a machine set up at xxx.xxx.xxx.9 using .8 as its default
>> router.  Again, it can reach both WAN and LAN, and LAN can reach it,
>> but WAN can't reach it.

> 1 - Have you enabled advanced NAT so the DMZ hosts won't get NAT'ed on
> the way out?

That, indeed, was one of the several problems.  And this is all nicely 
documented (so I have no excuse) in

   http://m0n0.ch/wall/docbook/faq-ipalias.html

I had other confounding problems causing other problems, and so it was 
harder to identify this one (Indeed, I'd tried this at one point before 
solving the other problems and failed).

The other problem, almost too embarrassing to admit, was simply bad 
network math.
The subnet for the DMZ is xxx.xxx.xxx.8/29.  I had given .8 as the IP 
address of the OPT1 interface.  But, of course, the first usable 
address is .9.

In some test configurations, I had that problem and in others I didn't. 
  So it made it harder for me to pinpoint that NAT problem.

-j

-- 
Jeffrey Goldberg                        http://www.goldmark.org/jeff/