[ previous ] [ next ] [ threads ]
 From:  bmah at acm dot org (Bruce A. Mah)
 To:  Alan Schmitz <alan at ankeny dot net>
 Cc:  "Bruce A. Mah" <bmah at acm dot org>, m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Problem with Bridging and NAT
 Date:  Thu, 18 Dec 2003 10:38:32 -0800
If memory serves me right, Alan Schmitz wrote:
> On Thu, 18 Dec 2003, Bruce A. Mah wrote:

> > What version of m0n0wall?
> net48xx-pb22r566.img

OK.  I would have expected a few other problems to crop up before about 
pb19 or so.

> > I don't think this should be a pre-requisite for getting your setup 
> > working, but it *does* affect the generation of firewall rules.  In 
> > particular, if you don't check this box, no filtering at all will be 
> > applied to packets received on your DMZ interface.  I guess that's what 
> > you wanted anyways.
> > 
> > It'd be interesting to see if enabling the filtering bridge feature 
> > makes any difference for your situation.
> I've actually tried this setting both ways, with the same results.  I'm
> trying to leave the filtering bridge enabled, because I need to restrict
> access to some of the services in the DMZ from the WAN.

OK.  Well for that particular part of the functionality, you should 
yell at me if the filtering bridge doesn't work.

> > > Is this type of configuration possible?  Any idea what I'm doing wrong?
> > 
> > I think that this should be possible, but I confess I've never tried 
> > it.  I only use my LAN interface for accessing the m0n0wall GUI (and in 
> > fact I've disabled NAT for my LAN interface).
> I've done this with a SonicWall appliance at work and Linux box with proxy
> ARP at home.  In both cases the bridge isn't completely transparent.  
> Both systems need a little help sorting out the traffic destined for the
> WAN or DMZ.

Maybe true here as well.  Now that I think about it a bit, I might have
tried this once a *long* time ago (around pb13) without success, but
that was before Manuel and I overhauled some of the bridging stuff.
Probably not relevant to the present day.

> > I think that further diagnosis might require seeing the IPFilter
> > rulesets installed on your m0n0wall box.  Is it possible for you to get
> > this output and post some sanitized version of them?
> I'll post a cleaned-up version of my rules, when I'm back on the LAN side
> of the firewall tonight.  I'm also going to run a tcpdump from the server 
> in the DMZ.

OK, that'll be helpful information.

> I'm concerned that the NAT'ed traffic is always following the default
> route out the WAN port, and it's not getting repeated on the DMZ port.  

That scenario is pretty high up on my list of probable causes.

Well, the "route", as you put it, isn't really an IP route.  The 
bridging code inside the m0n0wall box needs to remember that the MAC 
layer address for the server really lives over on the DMZ interface, 
not the WAN port, and forward it out accordingly.  I'm not sure if 
IPFilter (which does the NAT-ing) and bridge(4) (which does the, well, 
bridging) interact in the right way for this to happen.  Every time I 
try to think about these things, I have to UTSL.

> If that's the case, I might need to add a static route for the server in
> the DMZ.

Adding a static route won't help you here because your DMZ port is 
unnumbered (remember it's bridged to the WAN).  I'm not sure if there's 
some Advanced NAT setting you can play with that can help you (sorry, I 
don't use m0n0wall's NAT features).