[ previous ] [ next ] [ threads ]
 From:  Claude Morin <klodefactor at gmail dot com>
 To:  Chris Buechler <cbuechler at gmail dot com>
 Cc:  Adam Lawson <alawson at calhost dot com>, m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Newbie Config Question - Initial M0n0wall Config - Need Assist ASAP
 Date:  Fri, 18 Mar 2005 01:02:31 -0500
Thanks for the pointer to setting up a filtered bridge.

Stupid question: given the drawback of not having access from the LAN
interface, what advantage(s) does this setup have over 1:1 NAT? 
That's what I set up for our own colo, and it's working beautifully.


On Wed, 16 Mar 2005 21:49:57 -0500, Chris Buechler <cbuechler at gmail dot com> wrote:
> On Wed, 16 Mar 2005 08:42:20 -0800, Adam Lawson <alawson at calhost dot com > wrote:
> [snip]
> >
> > Now, the Quick Start documentation says:
> [snip]
> >
> > Now obviously, that scenario is not possible. My client machines need their
> > own static IP. The network is fine as is (without the firewall in place).
> >
> Yeah I wrote that part of the Quick Start Guide with a focus towards a
> typical LAN/WAN setup, which doesn't apply here.
> This example that I wrote based on a colo setup I have is probably the
> best way to do this.  In this example, m0n0wall is completely
> transparent.  This is based on a real setup I run on 1.2b3 that pushes
> a steady 1-3 Mb, up to 10+ Mb at times.  1.11 will work equally well,
> but if you're working with a lot of rules, 1.2b3 is a lot easier to
> work with and it has never ever crashed on me and it's pushing
> 200-300+ GB a month of internet traffic.
> http://m0n0.ch/wall/docbook/examples-filtered-bridge.html 
> There is a bug in current m0n0wall versions (fixed in 1.2b5 or 6, I
> believe, but I wouldn't use either of those in this situation) where
> only the WAN subnet is allowed out the bridged interface due to a bug
> in the antispoofing functionality.  To get around this, put in a
> superfluous static route on the bridged interface for 
> and pointing to any IP.  The route won't actually do
> anything, but putting it in is the work around for that bug.
> -Chris
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch 
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch