[ previous ] [ next ] [ threads ]
 
 From:  Alan Schmitz <alan at ankeny dot net>
 To:  Manuel Kasper <mk at neon1 dot net>
 Cc:  'mono' <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] Problem with Bridging and NAT
 Date:  Sat, 20 Dec 2003 20:54:36 -0600 
On Dec 20, 2003, at 3:13 AM, Manuel Kasper wrote:

> On 20.12.2003, at 05:37, Alan Schmitz wrote:
>
>> Until I learn more about how these rules work, I think I'll have to 
>> assume that the NAT isn't recognizing return traffic that comes 
>> through a bridged interface which isn't included in the NAT state.
>
> This is probably your problem: m0n0wall does stateful packet 
> filtering, and as such traffic must flow through the filter in both 
> directions for it to work. This is a design choice.

That makes sense.  I assumed that the NAT implementation was aware of 
the bridge, but the bridge seems to be passing return traffic that the 
NAT can't deal with.

> Well, bridging really interacts in a nasty way with filtering and NAT. 
> Maybe your LAN -> DMZ traffic is NATed before being bridged to the DMZ 
> interface, but for some reason the replies aren't? Just a wild guess. 
> If it weren't for the few applications where it actually makes sense 
> to use bridging, I'd remove it from m0n0wall. ;) Maybe you should 
> consider using 1:1 NAT for your DMZ server needs instead... it's much 
> more straightforward.

I'm all for straightforward, but my 1:1 NAT test didn't work the way I 
expected either.  My original goal was to create a firewall 
configuration where the server(s) in the DMZ could be accessed using 
public IP addresses from both the LAN and the WAN.  When I tried 1:1 
NAT, I used the following interface configuration:

     WAN  aaa.bbb.ccc.25/29
     LAN  192.168.1.1/24
     DMZ  192.168.2.1/24

I added a 1:1 entry for aaa.bbb.ccc.29 to 192.168.2.29, and I added 
rules to allow limited access to the DMZ from the WAN, and full access 
to the DMZ from the LAN.  Everything worked fine from the WAN.  When I 
tried to access the web site on aaa.bbb.ccc.29 from the LAN, I got the 
webGUI for m0n0wall.  I was able to bring up the web site on the public 
server using the 192.168.2.29 private address.

If I have to use private addresses to access servers in the DMZ from 
the LAN, I'll just use a two interface configuration and go back to 
playing games with DNS.  If I get tired of the Windows resolver 
problems again, I could implement bridging and NAT on separate m0n0wall 
systems.

-Alan