[ previous ] [ next ] [ threads ]
 From:  mtnbkr <waa dash m0n0wall at revpol dot com>
 To:  Simon Buob <simon dot buob at lan dot ch>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] M0n0wall LAN/DMZ Interface
 Date:  Sat, 25 Feb 2006 18:46:54 -0500
Simon Buob wrote:
> Hello
> I am a pretty inexperienced user of m0n0wall.
> My m0n0wall has 3 Interfaces. One to the WAN configured as
> DHCP Client. Two interfaces to the LAN configured as LAN and
> DMZ.
> Now i have these two Interfaces connected to the same (!!) switch
> and on this switch there are connected the network clients.
> Ist this possible?

Yes, it is physically possible but it will not work as you expect it to.
(as you have found out) :)

> i tried to define the DHCP Clients to get the
> DHCP Leases over MAC Reservations over the according interface.
> But the Clients over the DMZ Interface cant ping the IP of the
> DMZ Interface (Standard Gateway). But in the other direction it works->
> Ping from the M0n0wall to the NICs Interfaces. I also made a Firewall
> Ruleset
> allowing all traffic from the DMZ except to the LAN.
> Someone could give me an advice? Thanks a lot

First, and foremost, you need to get yourself a switch that supports
802.1q (VLANS).

Then, (ignoring security arguments etc) you could segment the switch
into 2 (or more) VLANS. Each port on the switch would need to be
configured as an untagged member of one or the other VLAN, but not both.

For example, ports 1-20 could be configured as untagged members of VLAN
10 (your LAN) and then ports 21-24 could be reserved for VLAN 20 (your DMZ)

THEN, you could plug your LAN port of m0n0 into port 1 of the switch and
your DMZ port of m0n0 into port 21 of the switch.

Now, clients in ports 2-20 will get their DHCP assignments from the lan
interface and clients in ports 21-24 would get their info from the DMZ

BUT, if the DMZ is to be used in a normal fasion (eg: web server, email
server etc) then you would statically assign them their info and disable
DHCP on the DMZ interface.

Next, you would need to configure the rules on each interface to allow
the traffic that you want. By default, m0n0 has an initial built-in LAN
rule to allow everything from all LAN clients OUT to anywhere, but your
other interfaces have NO initial rules and all traffic is blocked until
you add rules to allow it.

Or, you could buy (2) non-802.1q-capable switches and plug one into the
LAN port of m0n0 and one into the DMZ port of m0n0. :)

And finally, there is a thrid option, and the one I would use if your
switch is 802.1q capable. That is to configure m0n0 to work with VLANS.

Chris wrote some general VLAN documentation here:

I am looking to conftinue work on document that to include m0n0wall
specific information (unless I find that it is already done somewhere else)

Bill Arlofski
Reverse Polarity