[ previous ] [ next ] [ threads ]
 From:  Robert Goodyear <me at jrob dot net>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  ARP PROXY, Server NAT and Multiple WAN IPs
 Date:  Mon, 27 Jun 2005 18:35:59 -0700
Hi gang: first time poster here so be gentle.

After weaving in and out of many threads trying to get my m0n0wall to 
listen correctly on multiple IPs, I finally got everything working 
smoothly and felt the need to simplify several disparate chunks of 
knowledge that might slip past those of us who are not professional IT 
genii -- that is, the casual tinkerer who really appreciates the 
product and wants to make it sing.

Anyhow, below is a link to the summary I put together, and the full 
text is pasted below for the list crawler.

Kind Regards,
Robert Goodyear
California, USA


Full text:

m0n0wall - NAT and listening on multiple WAN addresses

After much Googling and raking through the lists on m0n0.ch, I've put 
together a quick guide to setting up m0n0wall to listen on multiple 
addresses and process appropriately from there.


The biggest part that I could not figure out was using Proxy ARP 
correctly. While the guide says that in most instances it is not needed 
unless x, y and z, I found that most of us in the US don't have control 
over the ISP's router that's installed on our premises. In my case, 
it's COX Business Services and their Cisco 1700 Router. So, since we 
don't have control of that router to tell it to send the additional IPs 
to m0n0's MAC address, it's time for ARP Proxy configuration.

Example Assumptions - let's assume the following:

     * Our usable IP address range is through .254
     * Our Gateway address is
     * Our Subnet is
     * Thus, our routed subnet is
     * and our WAN interface on m0n0 is

Step One: Listening to the WAN IPs

What confused me was the configuration of the PROXY ARP settings. I 
initially told m0n0 to announce responsibility for network, but apparently that was entirely wrong since it 
included the FIRST assigned IP that belonged to the WAN interface on 
m0n0. So, I changed from network notation to range notation and entered through as the addresses.

Step Two: NATing those addresses

Now, I chose a variety of methods to handle those IPs, based on their 
functionality. For example, I needed a mailserver on a particular IP 
with 1:1 mapping, so that rDNS would resolve properly and all outgoing 
mail would correctly appear to come from that IP address. I needed a 
couple of mySQL, SSH and Remote Desktop machines on other IPs but their 
outbound IPs were irrelevant, so I just did Server NAT with them. 
Remember, you've got to build an Inbound NAT rule with the specific WAN 
IP in question which then points to each Server NAT before that type of 
mapping is complete.

Step Three: Firewall rules

Lastly, firewall rules must be set to allow traffic into those 
addresses. I was confused here as well until I began to think of the 
firewall rules in reverse; that is, for each LAN IP that each box was 
NATed to, a rule must be in place to allow traffic. For some reason I 
was convinced that setting up 1:1 NATing was akin to just plugging a 
host into a switch under the ISPs router, but -duh- that defeats the 
whole purpose of having a firewall in the first place, doesn't it?

Step Four: Upstream cache

After all is said and done, don't forget to reboot the ISP's router to 
flush its MAC address table, and in some cases a phone call to the ISP 
to force them to flush their ARP cache is required.

I hope this helps anyone struggling with this situation out there. If 
you see any inaccuracies in how I've described this, please drop me an