Re: [m0n0wall] Blocked packets from non-NATed DMZ servers

From:	"Neil A. Hillard" <m0n0 at dana dot org dot uk>
To:	guy fernando <guyfernando at hotmail dot com>
Cc:	m0n0wall at lists dot m0n0 dot ch
Subject:	Re: [m0n0wall] Blocked packets from non-NATed DMZ servers
Date:	Fri, 6 Jan 2006 15:03:41 +0000

Guy,

>First I naively configured m0n0wall as a bridged firewall, and contrary
>to the m0n0wall documentation, arrogantly presumed I could make the LAN
>reach the DMZ especially after reading in one mailing-list that someone
>had successfully setup a filtered bridge with LAN to DMZ access. After
>lots of tinkering about, I had no such luck. Bruce Mah a guru in this
>field, very kindly verified that this is not possible with the current
>version of m0n0wall (v1.2) and explained why filtering bridge and NAT
>do not 100% cooperate together. (By the way if anyone has managed to
>get bridging working with LAN reaching DMZ please please let me know.)
>
>So now I am going along with following scenario with m0n0wall (v1.21).
>My ISP has allocated me with the following block of IP addresses
>x.y.254.64/28, which I have divided into two isolated subnets. Not
>ideal, as I am effectively losing 4 IP addresses x.y.254.67 - 70, as
>they are not protected behind the firewall. But I can live with this
>scenario.
>
>x.y.254.74/29  |
>+---------+   |
>| server1 +---|      DMZ         WAN
>+---------+   | x.y.254.73/29  x.y.254.66/29
>              |    fxp2+----------+fxp0      +----------+
>x.y.254.78/29  |--------+ m0n0wall +----------+DSL modem +--->Internet
>+---------+   |        +----------+          +----------+
>| server2 +---|             |fxp1      x.y.254.65/28
>+---------+   |             |LAN
>              |             |192.168.1.1/24


You should be able to achieve this (I am currently running this setup at
home, with a /29 - my ADSL router is running as a full bridge and OPT1
is bridged to WAN):

x.y.254.74/28  |
 +---------+   |
 | server1 +---|      DMZ         WAN
 +---------+   | Bridged with WAN x.y.254.66/28
               |    fxp2+----------+fxp0      +----------+
x.y.254.78/28  |--------+ m0n0wall +----------+DSL modem +--->Internet
 +---------+   |        +----------+          +----------+
 | server2 +---|             |fxp1      x.y.254.65/28
 +---------+   |             |LAN
               |             |192.168.1.1/24


The trick to it is to enable 'Advanced outbound NAT' and ensure that
your traffic from LAN to DMZ is not NATed.  e.g. add the following rule:

Interface:      WAN
Source:         192.168.1.0/24
Destination:    NOT
                Network
                x.y.254.64/29
Target:
Description:    LAN to WAN hide rule


If you can't get this to work, feel free to contact me off-list to
resolve this and then post the results to the mailing list once it is
working.

HTH,


                                Neil.

-- 
Neil A. Hillard                E-Mail:   m0n0 at dana dot org dot uk