Hello,

I'm using a design which appears to me quite similar to the DMZ design
in the monowall handbook, but am having a strange problem.  I suspect
an arp problem, but have no idea how to fix it.

Here's the layout:

170.x.x.x lan --- Existing FW --- (wan) monowall (opt1) --- 152.128.8.x/16 lan
 (nat outside)                                          (bridged)

The existing firewall (Checkpoint, inside address 152.128.8.40/16)
provides nat translations from the 170 network for a number of
152.128.8.x hosts.  I've assigned the monowall WAN interface
152.128.8.254, and set it to bridge with opt1.  Hosts on the 170 lan
can access access those on the 152 network using their natted
addresses correctly, and the monowall firewall states page shows these
sessions.  152 hosts can correctly access the 170 network (and beyond)
as well.

The problem:  From the monowall, I can't ping the existing firewall
(even though host traffic is passing fine).  It's directly connected
via a crossover cable.

Presumably because of this, I cannot access the monowall web gui from
either the wan side or the opt side.  For testing, I've allowed all
traffic from either side in the firewall rules.  The only way I've
found to manage it is to plug a host into the (unused) LAN interface
with a crossover cable.  I can see log entries as I attempt to access
the web gui, so I know that the traffic is reaching the monowall.

Can any one suggest what I've done wrong?

Thanks,

Kirk