In message <44520C46 dot 1020401 at unr dot edu dot ar>, Claudio Castro
<ccastro at unr dot edu dot ar> writes
>Neil A. Hillard escribió:
>> In message <4450DED8 dot 5060609 at febo dot com>, John Ackermann N8UR
>> <jra at febo dot com> writes
>>> I'm replacing a firewall/router based on the Linux Router Project to
>>> Soekris 4801 and am considering using m0n0wall; overall it looks like a
>>> very good product.
>>> I'm trying to understand if I can replicate my current DMZ structure
>>> with m0n0wall. I've looked at the FAQ and neither the DMZ-using NAT
>>> nor DMZ-using-bridging options really meet my needs (because I've
>>> recently had trouble using NAT to an internal NTP server, and I need my
>>> local network to be able to reach the DMZ -- those requirements seem to
>>> rule out the two DMZ examples in the FAQ).
>>> My current architecture uses NAT for the internal network, but simple
>>> IP routing for the DMZ, passing through the ipfilter. Also, I use the
>>> same IP address for the WAN and the DMZ interfaces on the firewall box
>>> (ie, my provider gives me a block of five static addresses; the bottom
>>> one is picked off for the firewall/router, with the other four passed
>>> on to the DMZ interface).
>>> In other words: eth0 is the wan, with address xx.xx.xx.238; eth1 is
>>> the DMZ, also using address xx.xx.xx.238; eth2 is the LAN, using NAT
>>> and address 192.168.x.x. Traffic for addresses xx.xx.xx.239-.242 goes
>>> through the packet filter and out the DMZ port.
>>> Can m0n0wall: (a) use the same IP address on both the WAN and DMZ
>>> interface, and (b) do simple routing and firewalling between WAN and
>>> DMZ without NAT or bridging?
>> You can't have multiple interfaces with the same IP address.
>> If you're thinking that there's a problem accessing devices on an
>> interface that is bridge with WAN then there really isn't a problem.
>> The documentation states that you cannot access devices on the bridged
>> interface from a _NAT'd_ interface. Simply enable advanced outbound NAT
>> and ensure that LAN -> OPT traffic isn't NAT'd but LAN -> WAN is and
>> you'll be laughing.
>> I'm using that exact setup on my m0n0wall (and have been for over a
>> year). I have a SIP server on OPT1 and it's setup like this because of
>> NAT issues with SIP. Now my SIP traffic isn't subject to NAT.
>Hi Neil, you said that if I enable outbound NAT and ensure that LAN-
>>DMZ isn't NAT'd, I can access the DMZ without using dns forwarding?
>What about LAN->Internet?
OK, assuming that your WAN IP address range is 220.127.116.11/29 and your LAN
IP address range is 192.168.1.0/24 then you will need to add the
following NAT rule:
Firewall: NAT: Outbound
Destination: NOT Network 18.104.22.168/29
Target: <Leave Blank>
Description: LAN to WAN hide rule
That will hide all traffic from LAN to WAN except that destined to the
WAN interface / router and OPT1 (assuming OPT1 is bridged with WAN).
LAN -> WAN traffic will be handled normally and will be NAT'd to the WAN
IP address (unless you specify a different one in 'Target' in the above
Neil A. Hillard E-Mail: m0n0 at dana dot org dot uk