[ previous ] [ next ] [ threads ]
 From:  John Ackermann N8UR <jra at febo dot com>
 To:  "Neil A. Hillard" <m0n0 at dana dot org dot uk>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Routing to DMZ without bridging or NAT
 Date:  Thu, 27 Apr 2006 18:25:44 -0400
Neil A. Hillard said the following on 04/27/2006 06:10 PM:

>>>You can't have multiple interfaces with the same IP address.
>>That's too bad; it's been a useful trick in several networks I've been
>>involved with.
> I've never had cause to use that.  I can't think of why I'd need it
> instead of a bridged interface (unless you wanted multiple interfaces
> bridged.

It comes down to having a featureful bridge that can do filtering.  If
you don't have that, and you have a limited number of publically visible
IPs (for example, my block of five), using one address on both the WAN
and DMZ interfaces leaves one more to use for a machine on the DMZ.
> There isn't a downside!  Just go into the 'Advanced' menu and check
> 'Enable filtering bridge'.  Then add the necessary rules.  I wouldn't
> dream of giving the world access to my SIP server :-)

OK, even better.

Just to explain where I was coming from, to implement this with Linux
Router Project, I had NAT between LAN and WAN, plain old routing between
WAN and DMZ, and proxy ARP to advertise the DMZ machines out to the
Roadrunner-provided cable router that sat in front of the LRP machine.
If I can accomplish the same thing more simply, so much the better.

Thanks for the clarifications!