[ previous ] [ next ] [ threads ]
 
 From:  Chris Buechler <cbuechler at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] DMZ to World Issues - Need Guidance
 Date:  Sun, 18 Sep 2005 21:27:38 -0400
On 9/18/05, Mattchewie <mattchewie at charter dot net> wrote:
> 
> My network setup is as follows - <I hope the formating turns out ok on
> this :P, using webmail>
> 
> (Internet: Cable with 1 public IP)
>    |
>   V
> (WAN: DHCP from ISP - monowall)
>    |                 |
>   V                V
> (LAN: 192.168.1.x)    (DMZ: 192.168.5.1 - DHCP Enabled Interface)
>                |
>               V
>            (Zyxel Router/AP: 192.168.5.2 on WAN side of device)
>                |
>               V
>            (wireless clients on a 192.168.10.1 network)
> 

first off, if possible, I would turn that Zyxel into a bridge.  i.e.
make your wireless clients on the 192.168.5.x network, and disable any
routing and NAT'ing on it.

if that's not possible, at a minimum, disable NAT on the device if it
isn't already.  Don't want to be double NAT'ing, that's just ugly. 
But, given that they can't get out to the Internet, I'm guessing it's
already routing those IP's.

The missing piece in your config is probably a static route pointing
192.168.10.0/24 to 192.168.5.2 on the DMZ interface.  (which would not
be required if you just bridge the AP over to the DMZ interface as I'd
recommend)

Also the firewall rule you're probably after is a permit IP from any
source to destination "not LAN" on your DMZ interface.

-Chris