Hi gang: first time poster here so be gentle.
After weaving in and out of many threads trying to get my m0n0wall to
listen correctly on multiple IPs, I finally got everything working
smoothly and felt the need to simplify several disparate chunks of
knowledge that might slip past those of us who are not professional IT
genii -- that is, the casual tinkerer who really appreciates the
product and wants to make it sing.
Anyhow, below is a link to the summary I put together, and the full
text is pasted below for the list crawler.
m0n0wall - NAT and listening on multiple WAN addresses
After much Googling and raking through the lists on m0n0.ch, I've put
together a quick guide to setting up m0n0wall to listen on multiple
addresses and process appropriately from there.
The biggest part that I could not figure out was using Proxy ARP
correctly. While the guide says that in most instances it is not needed
unless x, y and z, I found that most of us in the US don't have control
over the ISP's router that's installed on our premises. In my case,
it's COX Business Services and their Cisco 1700 Router. So, since we
don't have control of that router to tell it to send the additional IPs
to m0n0's MAC address, it's time for ARP Proxy configuration.
Example Assumptions - let's assume the following:
* Our usable IP address range is 18.104.22.168 through .254
* Our Gateway address is 22.214.171.124
* Our Subnet is 255.255.255.240
* Thus, our routed subnet is 126.96.36.199/28
* and our WAN interface on m0n0 is 188.8.131.52
Step One: Listening to the WAN IPs
What confused me was the configuration of the PROXY ARP settings. I
initially told m0n0 to announce responsibility for network
184.108.40.206/28, but apparently that was entirely wrong since it
included the FIRST assigned IP that belonged to the WAN interface on
m0n0. So, I changed from network notation to range notation and entered
220.127.116.11 through 18.104.22.168 as the addresses.
Step Two: NATing those addresses
Now, I chose a variety of methods to handle those IPs, based on their
functionality. For example, I needed a mailserver on a particular IP
with 1:1 mapping, so that rDNS would resolve properly and all outgoing
mail would correctly appear to come from that IP address. I needed a
couple of mySQL, SSH and Remote Desktop machines on other IPs but their
outbound IPs were irrelevant, so I just did Server NAT with them.
Remember, you've got to build an Inbound NAT rule with the specific WAN
IP in question which then points to each Server NAT before that type of
mapping is complete.
Step Three: Firewall rules
Lastly, firewall rules must be set to allow traffic into those
addresses. I was confused here as well until I began to think of the
firewall rules in reverse; that is, for each LAN IP that each box was
NATed to, a rule must be in place to allow traffic. For some reason I
was convinced that setting up 1:1 NATing was akin to just plugging a
host into a switch under the ISPs router, but -duh- that defeats the
whole purpose of having a firewall in the first place, doesn't it?
Step Four: Upstream cache
After all is said and done, don't forget to reboot the ISP's router to
flush its MAC address table, and in some cases a phone call to the ISP
to force them to flush their ARP cache is required.
I hope this helps anyone struggling with this situation out there. If
you see any inaccuracies in how I've described this, please drop me an