[ previous ] [ next ] [ threads ]
 From:  Mattchewie <mattchewie at charter dot net>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] DMZ to World Issues - Need Guidance
 Date:  Tue, 20 Sep 2005 19:48:25 -0400
Chris Buechler wrote:

>On 9/18/05, Mattchewie <mattchewie at charter dot net> wrote:
>>My network setup is as follows - <I hope the formating turns out ok on
>>this :P, using webmail>
>>(Internet: Cable with 1 public IP)
>>   |
>>  V
>>(WAN: DHCP from ISP - monowall)
>>   |                 |
>>  V                V
>>(LAN: 192.168.1.x)    (DMZ: - DHCP Enabled Interface)
>>               |
>>              V
>>           (Zyxel Router/AP: on WAN side of device)
>>               |
>>              V
>>           (wireless clients on a network)
>first off, if possible, I would turn that Zyxel into a bridge.  i.e.
>make your wireless clients on the 192.168.5.x network, and disable any
>routing and NAT'ing on it.
>if that's not possible, at a minimum, disable NAT on the device if it
>isn't already.  Don't want to be double NAT'ing, that's just ugly. 
>But, given that they can't get out to the Internet, I'm guessing it's
>already routing those IP's.
>The missing piece in your config is probably a static route pointing
> to on the DMZ interface.  (which would not
>be required if you just bridge the AP over to the DMZ interface as I'd
>Also the firewall rule you're probably after is a permit IP from any
>source to destination "not LAN" on your DMZ interface.
>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
Ok, So I configured the router to act like bridge (turned off routing, 
NAT'ing and firewall). My laptop can pick up a dmz dhcp address. 
(192.168.5.x instead of the 192.168.10.x that the zyxel was handing out) 
Even with this configuration I'm still not able to hit the net from the 
dmz. I put in a furewall rule on DMZ/opt1 as follows:
Pass, any, dmz subnet, any, dmz subnet, any

/This granted me the ability to get dns info to my ping requests ( ping 
would now show the ip of say yahoo.com) but still no reply.

So my guess its one more rule or something and everything will work but 
i don't know where to put it!