Re: [m0n0wall] Routing to DMZ without bridging or NAT

From:	Claudio Castro <ccastro at unr dot edu dot ar>
To:	"Neil A. Hillard" <m0n0 at dana dot org dot uk>
Cc:	m0n0wall at lists dot m0n0 dot ch
Subject:	Re: [m0n0wall] Routing to DMZ without bridging or NAT
Date:	Fri, 28 Apr 2006 09:36:22 -0300

Neil A. Hillard escribió:
> Hi,
>
> In message <4450DED8 dot 5060609 at febo dot com>, John Ackermann N8UR
> <jra at febo dot com> writes
>   
>> I'm replacing a firewall/router based on the Linux Router Project to a
>> Soekris 4801 and am considering using m0n0wall; overall it looks like a
>> very good product.
>>
>> I'm trying to understand if I can replicate my current DMZ structure
>> with m0n0wall.  I've looked at the FAQ and neither the DMZ-using NAT
>> nor DMZ-using-bridging options really meet my needs (because I've
>> recently had trouble using NAT to an internal NTP server, and I need my
>> local network to be able to reach the DMZ -- those requirements seem to
>> rule out the two DMZ examples in the FAQ).
>>
>> My current architecture uses NAT for the internal network, but simple
>> IP routing for the DMZ, passing through the ipfilter.  Also, I use the
>> same IP address for the WAN and the DMZ interfaces on the firewall box
>> (ie, my provider gives me a block of five static addresses; the bottom
>> one is picked off for the firewall/router, with the other four passed
>> on to the DMZ interface).
>>
>> In other words:  eth0 is the wan, with address xx.xx.xx.238; eth1 is
>> the DMZ, also using address xx.xx.xx.238; eth2 is the LAN, using NAT
>> and address 192.168.x.x.  Traffic for addresses xx.xx.xx.239-.242 goes
>> through the packet  filter and out the DMZ port.
>>
>> Can m0n0wall: (a) use the same IP address on both the WAN and DMZ
>> interface, and (b) do simple routing and firewalling between WAN and
>> DMZ without NAT or bridging?
>>     
>
> You can't have multiple interfaces with the same IP address.
>
> If you're thinking that there's a problem accessing devices on an
> interface that is bridge with WAN then there really isn't a problem.
>
> The documentation states that you cannot access devices on the bridged
> interface from a _NAT'd_ interface.  Simply enable advanced outbound NAT
> and ensure that LAN -> OPT traffic isn't NAT'd but LAN -> WAN is and
> you'll be laughing.
>
> I'm using that exact setup on my m0n0wall (and have been for over a
> year).  I have a SIP server on OPT1 and it's setup like this because of
> NAT issues with SIP.  Now my SIP traffic isn't subject to NAT.
>
> HTH,
>
>
>                                 Neil.
>
>   
Hi Neil, you said that if I enable outbound NAT and ensure that LAN->DMZ 
isn't NAT'd, I can access the DMZ without using dns forwarding? What 
about LAN->Internet?

Thanks