[ previous ] [ next ] [ threads ]
 
 From:  <Kamil dot Wencel at hvbpensionsfonds dot de>
 To:  <m0n0 at dana dot org dot uk>
 Cc:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  AW: AW: AW: AW: [m0n0wall] How many ports?
 Date:  Fri, 10 Jun 2005 11:42:31 +0200 
>If I understood former discussions correctly I cannot use filtered
>bridge mode because I would never again be
>able to connect to my DMZ hosts from my LAN. How am I supposed to set
>up something like that ?
>For testing purposes I set up something like that and tried to use 1:1
>NAT to reach a DMZ box via ssh.
>But it did not work out. Any ideas would be greatly appreciated.
No.  You can certainly connect to devices on an OPT interface bridged to
the WAN.

I have a SIP server on OPT1, bridged to WAN.  That way my internal
clients and my SIP peers can communicate with my SIP server without any
form of NAT being involved.

I have had this set up for a couple of months without any problems.

Just bridge OPT1 with the WAN, and start using your valid external IP
addresses on OPT1 (remembering that your default gateway will be
m0n0wall's _WAN_ IP address !!!) and don't forget to set 'Enable
filtering bridge' and add the appropriate rules as needed.  You'll also
need to set 'Enable advanced outbound NAT' so that your LAN clients
don't get NAT'd on their way to OPT1.



Neil,

thanks a lot mate, obviously I got confused by this :

http://www.m0n0.ch/wall/docbook/examples-filtered-bridge.html


11.3. Configuring a filtered bridge
A filtered bridge is a common way of configuring a DMZ segment. This can be used as a typical DMZ
where you have hosts on the LAN interface, but is probably more frequently used to protect servers
at a colocation facility where there are no LAN hosts.

Note
Remember you cannot access hosts on a bridged interface from a NAT'ed interface, so if you do have a
LAN interface set up, you won't be able to access the hosts on the bridged interface from the LAN. 
Network Diagram for this Configuration. The following diagram depicts the example configuration
described in this section. The colocation facility has assigned you with the subnet
111.111.111.8/29, which includes usable IP's .9-.14. One of those is required for the colo's router,
so you end up with 5 usable IP's. 

I thought the Clients on my LAN Interface are NATed, are they not ?

Anyways, just to make that clear once and for all :


Router ( 63.64.65.129 )
 |
 |
 |
 m0n0 WAN Interface (63.64.65.130)
 |
 | 
 +---------- m0n0 DMZ Segment ( OPT Interface )
 |		( including hosts 63.64.65.131,132,133... using 63.64.65.130 as gateway in filtered bridge mode
)
 |
 |
 m0n0 LAN Interface ( 171.16.1.1 )

where 171.16.1.1 ist the gateway for all LAN Clients.
I always thought in this configuration the LAN Interface is NATed, combined with
the m0n0 doc's it gives the impression that this kind of setup will not work.

So, Neil, are you really sure about this, or do we need to clear out m0n0's docs ?