Hi and greetings to everyone.  I've gone ahead and set up a m0n0wall 
firewall at work with a NATed LAN -> WAN.  It works ok and I've got 
rules set up to block out the nasty stuff.

What I'm having a problem doing (if it's even possible) is setting up a 
different subnet on OPT1 that can communicate with LAN but have nothing 
go out the WAN.  Perhaps this drawing might help


         |                              |
    test |       OPT1 +--------+ WAN    | net
network +------------|m0n0wall|--------| connection
         |            +--------+        |
         |                 |            |
                           |
                           |
                           |LAN
                     ---------------
                       production
                        network


Making the following assumptions:

WAN is  192.168.0.55
LAN is  172.16.33.1
OPT1 is 172.16.34.1

Nothing from OPT1 should go out to the WAN.  Ports 137-139 are allowed 
between OPT1 and LAN.  LAN is NATed.  I'm getting a bit confused in 
trying to set this up.  Since LAN is NATed - and after reading the 
ipfilter FAQ - should rules on OPT1 be set up to allow from network 
192.168.0.55 or 172.16.33.1.  IPFilter supposedly does NAT translation 
once a packet passes through the interface.  THEN it does the rule handling.

Has anybody else tried this.

In case it helps, I'm trying to set up a test network for the 
engineering group.  They're playing with some devices that occassionally 
have the same MAC address or try to take over some ip addresses.  I just 
want to give them their own little network so it doesn't break our 
production network.  Oh yeah, we need to access the windows shares on 
those devices.

Any help is appreciated...

do