> In message <4450DED8 dot 5060609 at febo dot com>, John Ackermann N8UR
> <jra at febo dot com> writes
>> I'm replacing a firewall/router based on the Linux Router Project to a
>> Soekris 4801 and am considering using m0n0wall; overall it looks like a
>> very good product.
>> I'm trying to understand if I can replicate my current DMZ structure
>> with m0n0wall. I've looked at the FAQ and neither the DMZ-using NAT
>> nor DMZ-using-bridging options really meet my needs (because I've
>> recently had trouble using NAT to an internal NTP server, and I need my
>> local network to be able to reach the DMZ -- those requirements seem to
>> rule out the two DMZ examples in the FAQ).
>> My current architecture uses NAT for the internal network, but simple
>> IP routing for the DMZ, passing through the ipfilter. Also, I use the
>> same IP address for the WAN and the DMZ interfaces on the firewall box
>> (ie, my provider gives me a block of five static addresses; the bottom
>> one is picked off for the firewall/router, with the other four passed
>> on to the DMZ interface).
>> In other words: eth0 is the wan, with address xx.xx.xx.238; eth1 is
>> the DMZ, also using address xx.xx.xx.238; eth2 is the LAN, using NAT
>> and address 192.168.x.x. Traffic for addresses xx.xx.xx.239-.242 goes
>> through the packet filter and out the DMZ port.
>> Can m0n0wall: (a) use the same IP address on both the WAN and DMZ
>> interface, and (b) do simple routing and firewalling between WAN and
>> DMZ without NAT or bridging?
> You can't have multiple interfaces with the same IP address.
> If you're thinking that there's a problem accessing devices on an
> interface that is bridge with WAN then there really isn't a problem.
> The documentation states that you cannot access devices on the bridged
> interface from a _NAT'd_ interface. Simply enable advanced outbound NAT
> and ensure that LAN -> OPT traffic isn't NAT'd but LAN -> WAN is and
> you'll be laughing.
> I'm using that exact setup on my m0n0wall (and have been for over a
> year). I have a SIP server on OPT1 and it's setup like this because of
> NAT issues with SIP. Now my SIP traffic isn't subject to NAT.
Hi Neil, you said that if I enable outbound NAT and ensure that LAN->DMZ
isn't NAT'd, I can access the DMZ without using dns forwarding? What