Re: [m0n0wall] Routing to DMZ without bridging or NAT

From:	"Neil A. Hillard" <m0n0 at dana dot org dot uk>
To:	m0n0wall at lists dot m0n0 dot ch
Subject:	Re: [m0n0wall] Routing to DMZ without bridging or NAT
Date:	Fri, 28 Apr 2006 14:13:44 +0100
Claudio,

In message <44520C46 dot 1020401 at unr dot edu dot ar>, Claudio Castro
<ccastro at unr dot edu dot ar> writes
>Neil A. Hillard escribió:
>> Hi,
>>
>> In message <4450DED8 dot 5060609 at febo dot com>, John Ackermann N8UR
>> <jra at febo dot com> writes
>>
>>> I'm replacing a firewall/router based on the Linux Router Project to
>>>a
>>> Soekris 4801 and am considering using m0n0wall; overall it looks like a
>>> very good product.
>>>
>>> I'm trying to understand if I can replicate my current DMZ structure
>>> with m0n0wall.  I've looked at the FAQ and neither the DMZ-using NAT
>>> nor DMZ-using-bridging options really meet my needs (because I've
>>> recently had trouble using NAT to an internal NTP server, and I need my
>>> local network to be able to reach the DMZ -- those requirements seem to
>>> rule out the two DMZ examples in the FAQ).
>>>
>>> My current architecture uses NAT for the internal network, but simple
>>> IP routing for the DMZ, passing through the ipfilter.  Also, I use the
>>> same IP address for the WAN and the DMZ interfaces on the firewall box
>>> (ie, my provider gives me a block of five static addresses; the bottom
>>> one is picked off for the firewall/router, with the other four passed
>>> on to the DMZ interface).
>>>
>>> In other words:  eth0 is the wan, with address xx.xx.xx.238; eth1 is
>>> the DMZ, also using address xx.xx.xx.238; eth2 is the LAN, using NAT
>>> and address 192.168.x.x.  Traffic for addresses xx.xx.xx.239-.242 goes
>>> through the packet  filter and out the DMZ port.
>>>
>>> Can m0n0wall: (a) use the same IP address on both the WAN and DMZ
>>> interface, and (b) do simple routing and firewalling between WAN and
>>> DMZ without NAT or bridging?
>>>
>>
>> You can't have multiple interfaces with the same IP address.
>>
>> If you're thinking that there's a problem accessing devices on an
>> interface that is bridge with WAN then there really isn't a problem.
>>
>> The documentation states that you cannot access devices on the bridged
>> interface from a _NAT'd_ interface.  Simply enable advanced outbound NAT
>> and ensure that LAN -> OPT traffic isn't NAT'd but LAN -> WAN is and
>> you'll be laughing.
>>
>> I'm using that exact setup on my m0n0wall (and have been for over a
>> year).  I have a SIP server on OPT1 and it's setup like this because of
>> NAT issues with SIP.  Now my SIP traffic isn't subject to NAT.
>>
>> HTH,
>>
>>
>>                                 Neil.
>>
>>
>Hi Neil, you said that if I enable outbound NAT and ensure that LAN-
>>DMZ isn't NAT'd, I can access the DMZ without using dns forwarding?
>What about LAN->Internet?

OK, assuming that your WAN IP address range is 1.2.3.0/29 and your LAN
IP address range is 192.168.1.0/24 then you will need to add the
following NAT rule:

Firewall: NAT: Outbound
-----------------------
Interface:      WAN
Source:         192.168.1.0/24
Destination:    NOT Network 1.2.3.0/29
Target:         <Leave Blank>
Description:    LAN to WAN hide rule

That will hide all traffic from LAN to WAN except that destined to the
WAN interface / router and OPT1 (assuming OPT1 is bridged with WAN).

LAN -> WAN traffic will be handled normally and will be NAT'd to the WAN
IP address (unless you specify a different one in 'Target' in the above
rule.)


HTH,


                                Neil.

-- 
Neil A. Hillard                E-Mail:   m0n0 at dana dot org dot uk