[ previous ] [ next ] [ threads ]
 
 From:  Alan Schmitz <alan at ankeny dot net>
 To:  "Bruce A. Mah" <bmah at acm dot org>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Problem with Bridging and NAT
 Date:  Thu, 18 Dec 2003 10:45:24 -0600 (CST)
On Thu, 18 Dec 2003, Bruce A. Mah wrote:

> If memory serves me right, Alan Schmitz wrote:
> > I'm having a problem configuring m0n0wall on a Net4801.  I've got a DSL 
> > connection with a /29 netblock.  I've configured the interfaces as:
> 
> What version of m0n0wall?

net48xx-pb22r566.img
 
> >    LAN   192.168.1.1/24
> >    WAN   A.B.C.D/29 (static public address)
> >    OPT1  Bridged to the WAN interface (renamed DMZ)
> > 
> > I'm using the default configuration for NAT.  I've added some rules to 
> > allow selected traffic coming in on the WAN to a specific public 
> > address connected to the DMZ and another rule to allow everything 
> > coming in on the DMZ to go anywhere.  I kept the default rule for the 
> > LAN, so everything coming in on the LAN can go anywhere.
> 
> Hmmm.  Did you enable Diagnostics->Advanced->Enable Filtering Bridge?
> 
> I don't think this should be a pre-requisite for getting your setup 
> working, but it *does* affect the generation of firewall rules.  In 
> particular, if you don't check this box, no filtering at all will be 
> applied to packets received on your DMZ interface.  I guess that's what 
> you wanted anyways.
> 
> It'd be interesting to see if enabling the filtering bridge feature 
> makes any difference for your situation.

I've actually tried this setting both ways, with the same results.  I'm
trying to leave the filtering bridge enabled, because I need to restrict
access to some of the services in the DMZ from the WAN.
 
> > Most things are working correctly.  The selected traffic can go from 
> > the WAN to the DMZ, the server in the DMZ can go everywhere on the 
> > Internet, and the workstations on the LAN can go everywhere on the 
> > Internet.  The firewall itself can ping the server in the DMZ too.
> > 
> > I'm still having problems between workstations on the LAN and the 
> > server on the DMZ.  I can't get any traffic to go between the LAN and 
> > the server in the DMZ, even when the traffic originates on the LAN.  It 
> > doesn't appear to be a rule problem, because I'm not showing any 
> > entries for blocked traffic in the firewall log.
> > 
> > Is this type of configuration possible?  Any idea what I'm doing wrong?
> 
> I think that this should be possible, but I confess I've never tried 
> it.  I only use my LAN interface for accessing the m0n0wall GUI (and in 
> fact I've disabled NAT for my LAN interface).

I've done this with a SonicWall appliance at work and Linux box with proxy
ARP at home.  In both cases the bridge isn't completely transparent.  
Both systems need a little help sorting out the traffic destined for the
WAN or DMZ.

> I think that further diagnosis might require seeing the IPFilter
> rulesets installed on your m0n0wall box.  Is it possible for you to get
> this output and post some sanitized version of them?

I'll post a cleaned-up version of my rules, when I'm back on the LAN side
of the firewall tonight.  I'm also going to run a tcpdump from the server 
in the DMZ.

I'm concerned that the NAT'ed traffic is always following the default
route out the WAN port, and it's not getting repeated on the DMZ port.  
If that's the case, I might need to add a static route for the server in
the DMZ.

Thanks,
Alan