[ previous ] [ next ] [ threads ]
 From:  John Ackermann N8UR <jra at febo dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Routing to DMZ without bridging or NAT
 Date:  Thu, 27 Apr 2006 11:10:16 -0400
Hi --

I'm replacing a firewall/router based on the Linux Router Project to a 
Soekris 4801 and am considering using m0n0wall; overall it looks like a 
very good product.

I'm trying to understand if I can replicate my current DMZ structure 
with m0n0wall.  I've looked at the FAQ and neither the DMZ-using NAT nor 
DMZ-using-bridging options really meet my needs (because I've recently 
had trouble using NAT to an internal NTP server, and I need my local 
network to be able to reach the DMZ -- those requirements seem to rule 
out the two DMZ examples in the FAQ).

My current architecture uses NAT for the internal network, but simple IP 
routing for the DMZ, passing through the ipfilter.  Also, I use the same 
IP address for the WAN and the DMZ interfaces on the firewall box (ie, 
my provider gives me a block of five static addresses; the bottom one is 
picked off for the firewall/router, with the other four passed on to the 
DMZ interface).

In other words:  eth0 is the wan, with address xx.xx.xx.238; eth1 is the 
DMZ, also using address xx.xx.xx.238; eth2 is the LAN, using NAT and 
address 192.168.x.x.  Traffic for addresses xx.xx.xx.239-.242 goes 
through the packet  filter and out the DMZ port.

Can m0n0wall: (a) use the same IP address on both the WAN and DMZ 
interface, and (b) do simple routing and firewalling between WAN and DMZ 
without NAT or bridging?