[ previous ] [ next ] [ threads ]
 From:  "Neil A. Hillard" <m0n0 at dana dot org dot uk>
 To:  Kamil dot Wencel at hvbpensionsfonds dot de
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: AW: AW: AW: AW: [m0n0wall] How many ports?
 Date:  Fri, 10 Jun 2005 14:58:55 +0100

In message
<CE66087981B7CF42A1A76F094291D6AD047C36 at exchange dot intern dot hvb-pensionsfonds
.de>, Kamil dot Wencel at hvbpensionsfonds dot de writes
>>>If I understood former discussions correctly I cannot use filtered
>>>bridge mode because I would never again be
>>>able to connect to my DMZ hosts from my LAN. How am I supposed to set
>>>up something like that ?
>>>For testing purposes I set up something like that and tried to use 1:1
>>>NAT to reach a DMZ box via ssh.
>>>But it did not work out. Any ideas would be greatly appreciated.
>>No.  You can certainly connect to devices on an OPT interface bridged to
>>the WAN.
>>I have a SIP server on OPT1, bridged to WAN.  That way my internal
>>clients and my SIP peers can communicate with my SIP server without any
>>form of NAT being involved.
>>I have had this set up for a couple of months without any problems.
>>Just bridge OPT1 with the WAN, and start using your valid external IP
>>addresses on OPT1 (remembering that your default gateway will be
>>m0n0wall's _WAN_ IP address !!!) and don't forget to set 'Enable
>>filtering bridge' and add the appropriate rules as needed.  You'll also
>>need to set 'Enable advanced outbound NAT' so that your LAN clients
>>don't get NAT'd on their way to OPT1.
>thanks a lot mate, obviously I got confused by this :
>11.3. Configuring a filtered bridge
>A filtered bridge is a common way of configuring a DMZ segment. This
>can be used as a typical DMZ where you have hosts on the LAN interface,
>but is probably more frequently used to protect servers at a colocation
>facility where there are no LAN hosts.
>Remember you cannot access hosts on a bridged interface from a NAT'ed
>interface, so if you do have a LAN interface set up, you won't be able
>to access the hosts on the bridged interface from the LAN.
>Network Diagram for this Configuration. The following diagram depicts
>the example configuration described in this section. The colocation
>facility has assigned you with the subnet, which
>includes usable IP's .9-.14. One of those is required for the colo's
>router, so you end up with 5 usable IP's.
>I thought the Clients on my LAN Interface are NATed, are they not ?
>Anyways, just to make that clear once and for all :
>Router ( )
> |
> |
> |
> m0n0 WAN Interface (
> |
> |
> +---------- m0n0 DMZ Segment ( OPT Interface )
> |             ( including hosts,132,133... using
> as gateway in filtered bridge mode )
> |
> |
> m0n0 LAN Interface ( )
>where ist the gateway for all LAN Clients.
>I always thought in this configuration the LAN Interface is NATed,
>combined with
>the m0n0 doc's it gives the impression that this kind of setup will not work.
>So, Neil, are you really sure about this, or do we need to clear out
>m0n0's docs ?

I 100% guarantee that I have it working !!!  I have the following (IP
addresses changed to protect the guilty):

ADSL Router (LAN & WAN address):        x.y.z.1
m0n0wall WAN:                           x.y.z.2
m0n0wall LAN:                 
OPT1 bridged to WAN
SIP Server (on OPT1):                   x.y.z.3
'filtering bridge' enabled
Advanced NAT enabled

I can connect to the SIP server from both LAN and (selected hosts on)
the Internet.

>Remember you cannot access hosts on a bridged interface from a NAT'ed
I think the key to this statement is 'from a NAT'ed interface'.  You
must enable advanced NAT and ensure that the traffic from your LAN is
not NAT'ed to devices on OPT1.  I think maybe it should read 'Remember
you cannot access hosts on a bridged interface if the connection is
being NAT'ed'.  For the above addresses I would have the following in my
NAT table:

Interface       Source          Destination             Target
WAN     ! x.y.z.0/29            *
WAN     ! x.y.z.1/32            *

Assuming that I've got a /29 address range on my WAN / OPT1.
The second rule means that I don't have to set up routes on my ADSL
router to the LAN.



Neil A. Hillard                E-Mail:   neil at dana dot org dot uk
                               Web:      http://www.dana.org.uk/