On Dec 20, 2003, at 3:13 AM, Manuel Kasper wrote:
> On 20.12.2003, at 05:37, Alan Schmitz wrote:
>> Until I learn more about how these rules work, I think I'll have to
>> assume that the NAT isn't recognizing return traffic that comes
>> through a bridged interface which isn't included in the NAT state.
> This is probably your problem: m0n0wall does stateful packet
> filtering, and as such traffic must flow through the filter in both
> directions for it to work. This is a design choice.
That makes sense. I assumed that the NAT implementation was aware of
the bridge, but the bridge seems to be passing return traffic that the
NAT can't deal with.
> Well, bridging really interacts in a nasty way with filtering and NAT.
> Maybe your LAN -> DMZ traffic is NATed before being bridged to the DMZ
> interface, but for some reason the replies aren't? Just a wild guess.
> If it weren't for the few applications where it actually makes sense
> to use bridging, I'd remove it from m0n0wall. ;) Maybe you should
> consider using 1:1 NAT for your DMZ server needs instead... it's much
> more straightforward.
I'm all for straightforward, but my 1:1 NAT test didn't work the way I
expected either. My original goal was to create a firewall
configuration where the server(s) in the DMZ could be accessed using
public IP addresses from both the LAN and the WAN. When I tried 1:1
NAT, I used the following interface configuration:
I added a 1:1 entry for aaa.bbb.ccc.29 to 192.168.2.29, and I added
rules to allow limited access to the DMZ from the WAN, and full access
to the DMZ from the LAN. Everything worked fine from the WAN. When I
tried to access the web site on aaa.bbb.ccc.29 from the LAN, I got the
webGUI for m0n0wall. I was able to bring up the web site on the public
server using the 192.168.2.29 private address.
If I have to use private addresses to access servers in the DMZ from
the LAN, I'll just use a two interface configuration and go back to
playing games with DNS. If I get tired of the Windows resolver
problems again, I could implement bridging and NAT on separate m0n0wall