[ previous ] [ next ] [ threads ]
 
 From:  "Neil A. Hillard" <m0n0 at dana dot org dot uk>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Routing to DMZ without bridging or NAT
 Date:  Thu, 27 Apr 2006 23:10:54 +0100
John,

In message <44513F74 dot 1020601 at febo dot com>, John Ackermann N8UR
<jra at febo dot com> writes
>Neil A. Hillard said the following on 04/27/2006 05:46 PM:
>
>> You can't have multiple interfaces with the same IP address.
>
>That's too bad; it's been a useful trick in several networks I've been
>involved with.

I've never had cause to use that.  I can't think of why I'd need it
instead of a bridged interface (unless you wanted multiple interfaces
bridged.


>> If you're thinking that there's a problem accessing devices on an
>> interface that is bridge with WAN then there really isn't a problem.
>>
>> The documentation states that you cannot access devices on the bridged
>> interface from a _NAT'd_ interface.  Simply enable advanced outbound NAT
>> and ensure that LAN -> OPT traffic isn't NAT'd but LAN -> WAN is and
>> you'll be laughing.
>
>Thanks for clarifying that.  I guess the remaining downside is that the
>DMZ doesn't get the benefit of any firewalling, but I suppose I can do
>that locally on the servers (which are all Linux or FreeBSD).

There isn't a downside!  Just go into the 'Advanced' menu and check
'Enable filtering bridge'.  Then add the necessary rules.  I wouldn't
dream of giving the world access to my SIP server :-)

HTH,


                                Neil.

-- 
Neil A. Hillard                E-Mail:   m0n0 at dana dot org dot uk