[ previous ] [ next ] [ threads ]
 
 From:  Don Munyak <don dot munyak at gmail dot com>
 To:  Chris Buechler <cbuechler at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch, don dot munyak at gmail dot com
 Subject:  Re: [m0n0wall] help with FW behind router
 Date:  Tue, 15 Mar 2005 15:59:00 -0500
Chris,

I configure Firewall:NAT 1:1 as you suggested.

interface | ext-IP | int-IP | desc
WAN | aa.43.155.34/32 | 192.168.1.10 | www
WAN | aa.43.155.35/32 | 192.168.1.11 | www
WAN | aa.43.155.36/32 | 192.168.1.12 | mail

Each private IP is a separate box.

Now on the Firewall:Rules tab, should I set up:

WAN interface
proto | source | port | dest | port | desc
tcp | any | 80 | aa.43.a55.34 | 80 | www server
tcp | any | 80 | aa.43.a55.35 | 80 | www server
tcp | any | 25 | aa.43.a55.36 | 25 | smtp
tcp | any | 110 | aa.43.a55.36 | 110 | pop3

Currently the public servers are in the LAN.
I am wondering If I should be using the LAN interface instead.

LAN Interface
proto | source | port | dest | port | desc
tcp | aa.43.a55.34 | 80 | 192.168.1.34 | 80 | www server
tcp | aa.43.a55.35 | 80 | 192.168.1.35 | 80 | www server
tcp | aa.43.a55.36 | 25 | 192.168.1.36 | 25 | smtp
tcp | aa.43.a55.36 | 110 | 192.168.1.36 | 110 | pop3

I also added a third NIC for a DMZ to move the servers eventually.

I read the link to the doc page and tried to follow along, but I am
still a little fuzzy on which interface to add the rules.

If this is a little unclear, I can email you my config.xml

Thanks,
- Don


On Sat, 5 Mar 2005 09:35:31 -0500, Don Munyak <don dot munyak at gmail dot com> wrote:
> Thanks...
> 
> I have already setup a page in the wiki "FirewallBehindRouter". I plan
> on showing sanitized Border Router config as well as m0n0wall.
> 
> As I get this worked out I will post my steps. For me, it will server
> as self documentation as well as contributing to the project.
> 
> 
> On Sat, 5 Mar 2005 00:23:24 -0500, Chris Buechler <cbuechler at gmail dot com> wrote:
> > On Fri, 4 Mar 2005 14:20:21 -0500, Don Munyak <don dot munyak at gmail dot com> wrote:
> > > I am still trying to work through this so if something doesn't make
> > > sense, it's either because I'm not sure or I didn't do a good job of
> > > explaining it.
> > >
> > > SCENARIO:
> > > I would like to use introduce m0n0wall into our network as a second
> > > layer of physical defense. We have a group of public servers, web and
> > > email. We have a public subnet range of 14 useable IP's. We are not
> > > using all of them currently.
> > >
> > > Existing public access is gained by NAT'ing Public IP's to
> > > non-routeable Private IP's for a given server and limiting the
> > > Protocol used for public access. Once I figure out some of the pieces
> > > I need to forward inbound requests, I will probably re-work the
> > > existing ACL's.
> > >
> > > The Cisco Border Router is configured as such:
> > >
> > > >>> EXISTING Config:
> > >
> > > --Internet-----(s0.744)Router/FW(e0)-----LAN
> > >
> > > s0.744
> > > xx.43.154.230 / 255.255.255.252
> > >
> > > e0
> > > xx.43.155.33 / 255.255.255.240
> > > 192.168.222.1 / 255.255.255.0 secondary
> > >
> > > ip nat inside source static 192.168.222.18 xx.43.155.45
> > > ip nat inside source static 192.168.222.2  xx.43.155.43
> > > ip nat inside source static 192.168.222.40 xx.43.155.41
> > > ip nat inside source static 192.168.222.9  xx.43.155.39
> > >
> > > -- REMARK Reflexive ACL applied to s0 interface
> > > ip access-list extended InboundFilters
> > >  permit tcp any host xx.43.155.45 eq smtp
> > >  permit tcp any host xx.43.155.45 eq pop3
> > >  permit tcp any host xx.43.155.45 eq 32000
> > >  etc...
> > >
> > > Where I'd like to go.
> > > >>> NEW Config:
> > > --Internet-----(s0.744)Router(e0)-----(e1)Firewall(e0)-----LAN
> > >
> > > Router (s0.744) x.43.154.230
> > > Router (e0) x.43.155.33
> > >
> > > Firewall (e1) x.43.155.46 (???)
> > > Firewall (e0) 192.168.222.1
> > >
> > > GOALS:
> > > - Need to route incoming requests to public servers behind firewall.
> > > - NAT overload question. currently, the LAN uses a NAT overload
> > > (sharing one Public IP) for outbound traffic.
> > > - Allow outbound only passive ftp from LAN hosts to remote FTP servers
> > >
> > > QUESTIONS:
> > > 1. I am not sure how to route specific IPs to the LAN side of m0n0wall.
> > > 2. How would you configure the router to forward requests for hosts on
> > > the subnet.
> >
> > Take out the IP NAT statements.  Take off the private IP on the
> > router.  You can take out the ACL or leave it, just make sure it
> > matches up appropriately with firewall rules.  For ease of
> > troubleshooting (no questioning if it's the router or the firewall),
> > at least during the setup, take it out.  You can add it back later
> > after things are working with the new setup as another line of defense
> > if you want.  It's not necessary though.
> >
> >
> > > 3. I am very confused by 1:1 vs NAT Server
> >
> > 1:1 means translating one public IP to one private IP, on both inbound
> > and outbound traffic.      Server NAT differs in that it allows you to
> > open multiple ports on one public IP to different LAN side hosts.
> > Inbound NAT does the same thing, but uses the m0n0wall WAN IP.  Server
> > NAT lets you use public IP's other than the WAN, which is what your
> > LAN hosts other than any with 1:1 setups will be NAT'ed to outgoing.
> >
> > Since you have 14 public IP's, I'd use 1:1 NAT because it's more
> > flexible, and easier to understand IMO.   It's easier to mentally
> > picture IP x.x.x.3 goes to mail server, x.x.x.4 is web server, x.x.x.5
> > is ..., etc. rather than what port goes where on a single IP (which is
> > how you have it set up now)
> >
> >
> > > This is a real business project for me. I would be glad to help create
> > > a real-world "HOW-TO" for the documentation project. My particular
> > > topology I would assume is pretty common for small businesses.
> > >
> >
> > This would be good for the example configurations chapter.
> > http://m0n0.ch/wall/docbook/examples.html
> >
> > If you write something up (the wiki would be a good place,
> > http://wiki.m0n0.ch), I can add the network diagrams, screenshots, and
> > format it in DocBook for the docs.
> >
> > -Chris
> >
>