Re: [m0n0wall] Problem with Bridging and NAT

From:	Manuel Kasper <mk at neon1 dot net>
To:	Alan Schmitz <alan at ankeny dot net>
Cc:	'mono' <m0n0wall at lists dot m0n0 dot ch>
Subject:	Re: [m0n0wall] Problem with Bridging and NAT
Date:	Sun, 21 Dec 2003 11:12:08 +0100

On 21.12.2003, at 03:54, Alan Schmitz wrote:

> I added a 1:1 entry for aaa.bbb.ccc.29 to 192.168.2.29, and I added 
> rules to allow limited access to the DMZ from the WAN, and full access 
> to the DMZ from the LAN.  Everything worked fine from the WAN.  When I 
> tried to access the web site on aaa.bbb.ccc.29 from the LAN, I got the 
> webGUI for m0n0wall.  I was able to bring up the web site on the 
> public server using the 192.168.2.29 private address.

Yep, that's a well-known limitation in ipnat and also applies to normal 
inbound (i.e. non-1:1) NAT setups. Packets cannot "loop" through the 
WAN interface, so that means you'll have to use the private addresses 
to access DMZ from LAN. This FAQ entry explains it:

http://www.phildev.net/ipf/IPFprob.html#8

- Manuel