[ previous ] [ next ] [ threads ]
 
 From:  bmah at acm dot org (Bruce A. Mah)
 To:  Alan Schmitz <alan at ankeny dot net>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Problem with Bridging and NAT
 Date:  Thu, 18 Dec 2003 07:38:16 -0800
If memory serves me right, Alan Schmitz wrote:
> I'm having a problem configuring m0n0wall on a Net4801.  I've got a DSL 
> connection with a /29 netblock.  I've configured the interfaces as:

What version of m0n0wall?

>    LAN   192.168.1.1/24
>    WAN   A.B.C.D/29 (static public address)
>    OPT1  Bridged to the WAN interface (renamed DMZ)
> 
> I'm using the default configuration for NAT.  I've added some rules to 
> allow selected traffic coming in on the WAN to a specific public 
> address connected to the DMZ and another rule to allow everything 
> coming in on the DMZ to go anywhere.  I kept the default rule for the 
> LAN, so everything coming in on the LAN can go anywhere.

Hmmm.  Did you enable Diagnostics->Advanced->Enable Filtering Bridge?

I don't think this should be a pre-requisite for getting your setup 
working, but it *does* affect the generation of firewall rules.  In 
particular, if you don't check this box, no filtering at all will be 
applied to packets received on your DMZ interface.  I guess that's what 
you wanted anyways.

It'd be interesting to see if enabling the filtering bridge feature 
makes any difference for your situation.

> Most things are working correctly.  The selected traffic can go from 
> the WAN to the DMZ, the server in the DMZ can go everywhere on the 
> Internet, and the workstations on the LAN can go everywhere on the 
> Internet.  The firewall itself can ping the server in the DMZ too.
> 
> I'm still having problems between workstations on the LAN and the 
> server on the DMZ.  I can't get any traffic to go between the LAN and 
> the server in the DMZ, even when the traffic originates on the LAN.  It 
> doesn't appear to be a rule problem, because I'm not showing any 
> entries for blocked traffic in the firewall log.
> 
> Is this type of configuration possible?  Any idea what I'm doing wrong?

I think that this should be possible, but I confess I've never tried 
it.  I only use my LAN interface for accessing the m0n0wall GUI (and in 
fact I've disabled NAT for my LAN interface).

I think that further diagnosis might require seeing the IPFilter
rulesets installed on your m0n0wall box.  Is it possible for you to get
this output and post some sanitized version of them?

Bruce.