[ previous ] [ next ] [ threads ]
 
 From:  "dasz" <daszylstra at comcast dot net>
 To:  <NERD341 at softhome dot net>, <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] DMZ Issues for the 400th Time
 Date:  Wed, 19 Apr 2006 23:36:46 -0400
----- Original Message ----- 
From: <NERD341 at softhome dot net>
To: <m0n0wall at lists dot m0n0 dot ch>
Sent: Wednesday, April 19, 2006 10:32 PM
Subject: [m0n0wall] DMZ Issues for the 400th Time


>I have been reading the M0n0Wall mailing list for sometime and still can't
>find a fix for my problem; I am trying to setup a DMZ.  I know this has
>been asked a million times but I must be missing something and would
>appreciate a hand.  Here is a little back store on my network.  I have a
>Generic-PC setup (P3 with a 4 gig HD 512 MB of Ram) with 5 network cards.
>I have 5 static IP <X.X.X.154-158> addresses I would like to use for
>Servers.  I currently have my servers on the outside of my firewall to be
>operational.
> Here is my network diagram.
> WAN (X.X.X.154)
> LAN (192.168.1.1)
>  <DHCP - PC's and Other IP Random Stuff)
> DMZ (192.168.10.1)
>   <192.168.10.100> - Server 1 (WWW1 and Mail) (X.X.X.155)
>   <192.168.10.110> - Server 2 (WWW2) (X.X.X.156)
>   <192.168.10.120> - Server 3 (Dev) (X.X.X.157)
>   <192.168.10.130> - Server 4 (Other) (X.X.X.158)
> WLAN (192.168.2.1)
>   <DHCP - Private Wireless>
> WLAN_PUBLIC (192.168.5.1)
>    <DHCP - Public Wireless>
> I have PROXY ARP setup to lessen for IP X.X.X.155-158.  I have capture
> portal active on WLAN_PUBLIC and Outbound NAT setup for LAN, WLAN, and
> WLAN_PUBLIC.  1:1 NAT setup to the above config.
> Now this is where I get a little confusted . Which interface do I need to
> set the rules up on to allow traffic to my servers.  I have been testing
> this by allowing HTTP to Server 1, Rule Like TCP | * | 80 |
> 192.168.10.100| 80 on the DMZ interface.  Is this RIGHT?  I am unable to
> access the server by using the IP .154.  I did add a rule of  TCP | * | *
> |  X.X.X.154 | 8080 so I could remote admin the firewall for testing and
> this works file.
> Any help on getting this working would be greatly appreciated.
-----------------------------------------------------------------------------------

Try the rule with TCP | * | * | 192.168.10.100| 80    (the http client
doesn't normally use source port 80, just destination port 80)

Also when I'm debugging my config I found the firewall log is very
helpful -- i.e. if you test http access that gets denied the log should show
the event with source IP/port and destination IP/port . . . .