Re: [m0n0wall] Private on LAN, Public on DMZ

From:	"Neil A. Hillard" <m0n0 at dana dot org dot uk>
To:	RP Smith <rpsmith at hotmail dot com>
Cc:	james at mckeand dot biz, m0n0wall at lists dot m0n0 dot ch
Subject:	Re: [m0n0wall] Private on LAN, Public on DMZ
Date:	Tue, 28 Feb 2006 00:06:16 +0000

Roy,

In message <BAY107 dash F33FEF0919DA9440CE1981A6F60 at phx dot gbl>, RP Smith
<rpsmith at hotmail dot com> writes
>
>
>RP Smith wrote:
>> BTW, I do need to access the hosts on the bridged interface from the
>> NAT'ed interface so looks like bridging is not an option for me.
>>
>> Roy...
>> ------------------------------------------
>>
>> Calling all m0n0wall Guru's!
>>
>> I'm trying to configure my m0n0wall to have Private IPs on the LAN and
>> Public IPs on the DMZ but have been unsuccessful so far (I've even
>> tried bridging WAN to DMZ but also had problems with that).
>>
>> Here is my setup:
>>
>> DSL Modem with 6 usable Static IPs.
>>
>> nnn.nnn.7.173 - .178 /26 (255.255.255.192)
>>
>> nnn.nnn.7.129 - Gateway
>>
>> I would like to have .173 NATed to the the LAN and the rest of my
>> Public IPs assigned to the DMZ.
>>
>> All help will be greatly apprecated.
>
>How many hosts do you need in the DMZ?
>
>You may have to use .173 on WAN (NATed to LAN - use private IPs here)
>and .174 for DMZ interface. That would leave .175 - .178 (4 hosts) for
>DMZ. You would need to use .174 for the gateway for the DMZ hosts. i.e.
>you would not bridge the DMZ interface - it would be a separate network
>(I guess a /26 mask would work??).
>
>You would need to create rules to allow the needed traffic. You should
>not have any problem accessing the DMZ hosts.
>
>_________________________________
>James W. McKeand
>
>---------------------------------------------------------------------
>
>Thanks for the reply James.  I'll take as many hosts as I have left
>over after the subnetting is done.  I just wasn't sure if subnetting
>would work for my IP range and didn't know what mask to use on the WAN
>and what mask to use on the DMZ.  Doesn't seem like would be able to
>use /26 on both but I guess I'll give it a try and see what happens.
>
>Thanks again, Roy...

You may want to check out one of my previous posts on this subject:

http://m0n0.ch/wall/list/showmsg.php?id=173/85
http://m0n0.ch/wall/list/showmsg.php?id=235/74

You can have OPT1 bridged to WAN _and_ still access OPT1 from LAN - the
secret is to use advanced NAT.  I'm using it that way now!  And you
don't waste any IP addresses, either.

HTH,


                                Neil.

-- 
Neil A. Hillard                E-Mail:   m0n0 at dana dot org dot uk