Problems w/ NATed LAN <--> Bridged DMZ (OPT1)

From:	Richard Neves <rich at eneves dot org>
To:	m0n0wall at lists dot m0n0 dot ch
Subject:	Problems w/ NATed LAN <--> Bridged DMZ (OPT1)
Date:	Sun, 11 Jan 2004 20:54:01 -0800 (PST)

I can't get get NATed LAN hosts talking to
bridged-with-WAN DMZ (OPT1) hosts...  yet I can ping
OPT1 hosts from m0n0wall itself.

Config:
    Soekris 4501

    LAN - NATed subnet
    WAN - public IP x.y.z.129
    OPT1 (DMZ) - bridged to WAN
    OPT2 (WLAN) - bridged to LAN

OPT1 (DMZ) is plugged into an isolated switch.  
Non-x.y.z.129 DMZ hosts can talk to each other just
fine.   However, hosts on NATed LAN cannot reach hosts
on OPT1 (DMZ).  E.g. if x.y.z.16 is a host in DMZ, LAN
hosts masq-ed under x.y.z.129 cannot reach x.y.z.16.

E.g. this fails from a LAN host:  
    "telnet x.y.z.16 80"

... and yields this log entry:
    19:15:21.783007 sis2 @0:13 B x.y.z.16,80 ->
x.y.z.129,51291 PR TCP len 20 48 -AS IN

Hosts on LAN can get anywhere else (except DMZ) based
on the single "LAN Net -> any" for all ports/protocols
rule.  

I have not enabled "block private networks".
I have not enabled bridge filtering.

I can actually ping x.y.z.16 directly from the
m0n0wall box just fine.  E.g. /exec.php with ping -c 3
x.y.z.16 works GREAT.

So why can't the LAN hosts get to the DMZ?   Is
NATing+Bridging a problem?  I'd really like to see
this work:  The filtering bridge and traffic shaper
and everything else in one box is slick. 

Thanks much,
Rich

Btw - This m0n0wall distro is very impressive: More
functional than many commercial products, yet very
simple to use.   Big kudos to the author.