[ previous ] [ next ] [ threads ]
 From:  Lonnie Abelbeck <abelbeck at abelbeck dot com>
 To:  m0n0wall List <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] Problem in DMZ setup...
 Date:  Tue, 22 Aug 2006 07:54:01 -0500

I will give it a shot...

m0n0wall's inbound NAT only handles UDP and TCP types of IP traffic.   
The 'port' field of UDP/TCP is what allows NAT to make it's magic  
work.  'ping' uses ICMP, no 'port' information...  so, no ping from WAN.

On the other hand, if each of your DMZ servers was NAT'ed via 1:1  
NAT, then each DMZ server would have a mapped public WAN address, so  
all types of IP are a go.  Your firewall rules are used to allow/ 
block traffic as desired.  Of course, you need 1 static public IP  
address for each 1:1 NAT, for every DMZ server.

> And also all my three server in DMZ cannot ping same website or  
> public IP at
> the same time?.

My guess this is an outbound NAT issue with non-UDP/TCP data (ie. no  
'port' information).  Just like you can't PPTP to the same server on  
the WAN from inside via multiple simultaneous clients, it makes sense  
you can't ping from inside via multiple simultaneous clients well.   
NAT can't figure out the return path because of the lack of the  
'port' information in the IP packet.


On Aug 22, 2006, at 4:33 AM, Joel Cruz wrote:

> I have a problem with my setup. This my setup
> Wan = dhcp
> Lan = 192.168.1.x/24
> DMZ = 192.168.2.x/24
> Aliases
> Mail	192.168.2.a mail server
> DNS	192.168.2.b DNS server
> Proxy	192.168.2.c proxy server
> Server NAT
> Public IP	Description
> 210.1.x.a	Mail Server
> 210.1.x.b	DNS Server
> 210.1.x.c	Proxy Server
> Inbound NAT
> If		Proto	Ext.	NAT	Int.	Description
> 210.1.x.a	TCP	SMTP	Mail	SMTP	Mail Server
> 210.1.x.b	TCP	DNS	Dns	DNS	DNS Server
> 210.1.x.c       TCP     8080    Proxy   8080    Proxy Server
> My problem is I cannot ping  all the IP (from outside WAN) that I  
> configure in
> ServerNat? And also all my three server in DMZ cannot ping same  
> website or public IP at
> the same time?.
> The IP in the ServerNat cannot see outside the WAN. Is there any  
> configuration that I miss?
> Please Help.....
> -- 
> This message has been scanned for viruses and
> dangerous content by Diversion Industries Inc.
> believed to be clean.
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch