[ previous ] [ next ] [ threads ]
 From:  Chris Buechler <cbuechler at gmail dot com>
 To:  Jason Boles <threepercentmilk at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] using real IP's on LAN - 1:1 NAT, bridge, other ?
 Date:  Thu, 2 Jun 2005 10:57:03 -0400
On 6/1/05, Jason Boles <threepercentmilk at gmail dot com> wrote:
> Hi all,
>   I'm running m0n0wall on a 3 NIC wrap board.  I'd like to use the
> firewall in a non-NAT fashion, where each machine behind the firewall
> has a real IP address.  We have a sonicwall in place now that does the
> job, but is out of it's support contract and a few years old and
> getting too slow.  It has what is called "Intranet" mode, where you
> specify the "real" IPs that are on the LAN port, and it assumes
> everything else is on the WAN.  All of the real IPs are in the same
> subnet, but none are contiguous.  Each machine is configured with it's
> own real ip, with a default gateway that is on the WAN
> (xxx.xxx.xxx.1).  The sonicwall has 1 real IP as well.  It seems as
> though it is doing a filtered bridge, but I have no access to the
> underlying implementation.

Does sound like a filtered bridge.  

>   I'm looking for a way to get the same functionality using m0n0wall.
> Should I use the WAN->OPT1 bridge function?  I would like to have a
> DMZ as well, and from searching the list, it seems that the WAN/LAN
> cannot be bridged.  

You can bridge OPT and WAN and leave LAN unplugged.  You stated above
that all your machines have public IP's, so that'd be how I would do

> Bridges should have higher performance than a router, but in the case
> of a firewall, is that true ?

Yes, it's faster to bridge than NAT, but unless you have 25-30+ Mb of
internet bandwidth, you won't notice a difference on a WRAP.