[ previous ] [ next ] [ threads ]
 
 From:  "James W. McKeand" <james at mckeand dot biz>
 To:  "Joel Cruz" <jcruz at guess dot com dot ph>
 Cc:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] N/A
 Date:  Fri, 18 Aug 2006 09:19:02 -0500 
Joel Cruz wrote:
> I have 3 server mail, dns and proxy (all running in linux). We are
> the one who host our mail and dns server as of now we don't have
> firewall for the three server only the firewall that embedded in
> linux. My plan is to put first the monowall in front of my 3 servers.
> Just like this 
> 
> Wan--> monowall-->private
> 	    |
> 	    |
> 	    Dmz
> 
> 
> I setup the monowall in P4 2.66Mghz 4G, 128MB memory. This is my
> configuration
> 
> Wan = dhcp
> Lan = 192.168.1.x/24
> DMZ = 192.168.2.x/24
> 
> Rules is on default configurations.
> 
> NAT:
> 
> Inbound
> Wan	TCP	SMTP	192.168.2.x	SMTP	description
> Wan	TCP	HTTP	192.168.2.x HTTP	description
> Wan	TCP	DNS	192.168.2.x	DNS	description
> 
> 
> Aliases
> 
> Mail	210.1.x.x 	mail server
> Dns	210.1.x.x	dns server
> Proxy 210.1.x.x	proxy server

Like I said Aliases are for creating rules. Your Aliases should be like:

Mail	192.168.2.a mail server
DNS	192.168.2.b	DNS server
Proxy	192.168.2.c proxy server

I assume that you have multiple public IPs and want to use public IPs
for these machines. To include the additional Public IPs you will need
to add Server NAT entries. They will look like:

Public IP	Description
210.1.x.a	Mail Server
210.1.x.b	DNS Server
210.1.x.c	Proxy Server

Then you can create Inbound NAT rules like:
If		Proto	Ext.	NAT	Int.	Description
210.1.x.a	TCP	SMTP	Mail	SMTP	Mail Server
210.1.x.b	TCP	DNS	Dns	DNS	DNS Server
 etc.
(notes: 1. Mail & DNS are aliases 2. Check Auto create Firewall rule)
 
> Prob 1: From my proxy when I try to ping the gateway request time out
> but in lan when I try to ping the ip the proxy it will reply. I
> cannot ping 
> from DMZ to gateway ip which is the ip of monowall

I am assuming that the IP of the LAN interface is 192.168.1.1 and the IP
of the DMZ interface is 192.168.2.1.

You should be able to ping 192.168.2.1 from 192.168.2.c. 
You should not be able to ping 192.168.1.1 from 192.168.2.c (unless you
added firewall rules)

You should be able to ping 192.168.2.1 from a 192.168.1.x address
You should be able to ping 192.168.1.1 from a 192.168.1.x address

> Prob 2: My aliases for example 210.1.x.x I cannot ping outside the
> web I tried some website that have a ping tool. I have to see the IP
> of My aliases outside the web even the aliases that assign as the ip
> of my 
> mail.

If you setup the Server NAT like above AND you add the appropriate
firewall rules, you should be able to ping your NATed servers.

In the future please respond to the list.

_________________________________
James W. McKeand