The public IP address for the server-in-the-DMZ is on the WAN interface.
So the WAN interface responds to and takes in packets for its own IP
address and also the real IP addresses mapped to the servers in the DMZ.
The packets are then forwarded to the DMZ interface with the destination
IP address changed to the Private IP address of the server.
Your server would get the packets as coming from the original IP address
so your analyzer would be fine.
hope the wording above isn't too confusing...
Allan Mogensen wrote:
> Okay.. i will try this, this indicates that the firewall does not support
> public ip's on the dmz interface (NAT zero) or ?? - this would be a big
> problem if i was to run some traffic analyzer/statistics module on the web
> server.. all traffic would be comming from the same ip... i guess..
> -----Original Message-----
> From: sai <list at ebs dot net dot pk>
> To: Allan Mogensen <allan at 1966 dot dk>
> Cc: m0n0wall at lists dot m0n0 dot ch
> Date: Mon, 14 Mar 2005 15:10:41 +0500
> Subject: Re: [m0n0wall] DMZ and public ip problem
>>Allan Mogensen wrote:
>>>Looking for a replacement of my existing fw, m0n0 has come to my
>>>looks like just the fw i need :-)
>>>However i cannot figure out the way to configure the DMZ with public
>>>the m0n0 FW..
>>This is the HOWTO that I use (its based on posts from this list)
>>(public IP address == real ip address as assigned to you from your ISP)
>>(private IP == your internal network such as 192.168.10.1)
>>How to Setup a DMZ.
>>Here is an example DMZ setting for a web server
>> Assign private IP address to your server in the DMZ e.g.
>> on the menu: Firewall> NAT> Server NAT add the public IP address of
>>the server (plus description if you want to do it properly)
>> in the Services menu > Proxy ARP add the the public ip addresses
>>that the WAN port can respond to all the public ip addresses)
>> again in the Firewall menu > NAT > Inbound add the following rule
>>External address: public ip address of the server
>>Protocol: TCP (or as desired)
>>External port range from: POP(or as desired)
>>NAT IP: private ip address for server
>>Local port: POP (or as desired)
>> tick the box that says auto add rules.