Re: [m0n0wall] Bridge DMZ w/ WAN; LAN -> DMZ not working

From:	"Bruce A. Mah" <bmah at acm dot org>
To:	adam at ruffdogs dot com
Cc:	m0n0wall at lists dot m0n0 dot ch
Subject:	Re: [m0n0wall] Bridge DMZ w/ WAN; LAN -> DMZ not working
Date:	Tue, 6 Jan 2004 11:57:29 -0800

If memory serves me right, adam at ruffdogs dot com wrote:

> I have a setup which I don't know if it's too unusual or not.  We have 128 IPs
> on our WAN, let's call it x.x.x.0/25.  We also have a 192.168.0/24 LAN.   I'd
> like the WAN interface on the m0n0wall to be x.x.x.2, serving the NAT'd LAN
> behind that.  My DMZ interface needs to be bridges with the LAN interface so we
> can firewall x.x.x.0/25 hosts behind the DMZ nic.  
> 
> This works fine, but traffic from/to x.x.x.2 (and the 192.168.0.0/24 NAT'd
> network behind it) does not make it to hosts behind the DMZ nic.
> 
> Is this a known limitation or bug?  Would a pf-based (ala OpenBSD or freebsd's
> port) firewall work for this?

This problem has been discussed at least once on the list fairly
recently.  It's basically an odd interaction between bridging and
NAT-ing.  I don't know of a solution, but if this was my network, I'd
have one m0n0wall box to do the filtering bridge functionality and
another to do the NAT-ing.

Bruce.