[ previous ] [ next ] [ threads ]
 From:  "Neil A. Hillard" <m0n0 at dana dot org dot uk>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Bridged OPT1 with WAN and advanced outbound routing.
 Date:  Thu, 31 Aug 2006 19:31:59 +0100

In message
<1b2623ac0608310825x28d680d7lafec4cd4309f6e36 at mail dot gmail dot com>, Carlo
Landmeter <clandmeter at gmail dot com> writes
>I've searched on the list for the following problem which I have.
>My provider provides me with a subnet of 16ip's for our office to use.
>i.e. :
>My internal LAN is normal 10. private C class network:
>i.e. :
>I have a monowall with 3 interfaces, LAN WAN and OPT1
>I would like to use the OPT1 interface as a DMZ for some servers that
>i have running (i.e. SIP Server). Now to easily accomplish this I've
>bridged the OPT1 and the WAN interface so I don't have to setup 2
>networks to be able to route OPT1 to WAN. I also turned on Advanced
>outbound routing to disable NAT for the OPT1 interface and added a
>rule to enable it for the LAN interface. I also turned on Proxy ARP on
>for the whole /28 range. Everything seems to work except of course the
>problem mentioned here http://doc.m0n0.ch/handbook/faq-bridge.html .
>But while searching the mailing list i also came across the following
>post http://m0n0.ch/wall/list/showmsg.php?id=263/80 which tells it
>should work when Advanced outbound routing is enabled.
>Could somebody please clarify this please, or does anybody have
>another solution to allow the above setup which will support LAN
>access to a bridged DMZ?

It was me that posted that it's possible and I've had my setup working
since May 2005 when I got my /29.

The most important thing to ensure is that traffic from LAN to OPT1 is
not NAT'd.  If you've put a general 'hide' NAT rule on for LAN then
that's what will have broken it.

You will need the following rule to NAT LAN traffic but not that which
goes to WAN / OPT1 networks:

Interface       Source          Destination     Target
WAN        !    *

You do not need to add proxy ARP entries either - so you'd best remove
those - they may well mess things up, too!

I will attempt to document my setup as this does crop up from time to



Neil A. Hillard                E-Mail:   m0n0 at dana dot org dot uk