Our network consists of 4 class C's (xx.xx.152.xx through xx.xx.155.xx).
Two of these class C's (xx.xx.154.xx and xx.xx.155.xx) are meant to be
the DMZ. The other two (xx.xx.152.xx and xx.xx.153.xx) are viewed as
"external" and have been used for things like ISDN/dialup connections, a
leased internet connection to a neighbor, etc. I want to switch from our
old ipchains on linux firewalls to a single m0n0wall box.
My m0n0wall config is as follows:
IP Addr: 192.168.20.246
IP Addr: xx.xx.152.3
IP Addr: xx.xx.154.1
I enabled advanced outbound NAT (and created a rule to allow the LAN
outgoing access) like the manual said I should do when using public IPs
for a DMZ. When I attempted the switch to m0n0, the LAN was able to see
the outside Internet as well as the DMZ. The DMZ however, was not able
to route out to the outside Internet. The DMZ machines are using
xx.xx.154.1 as their gateway. I was unable to ping xx.xx.154.1 from the
DMZ machines. I WAS able to ping the DMZ machines from the m0n0 box. I
attempted to add a rule to allow the DMZ out as well, but was not
successful. Being stuck in my office, I was unable to determine if the
outside Internet was able to access the opened services on the DMZ.
Does anybody see anything obviously wrong with my setup or does anybody
have any clues as to where to look for problems?