[ previous ] [ next ] [ threads ]
 From:  "Carlo Landmeter" <clandmeter at gmail dot com>
 To:  "Neil A. Hillard" <m0n0 at dana dot org dot uk>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Bridged OPT1 with WAN and advanced outbound routing.
 Date:  Fri, 1 Sep 2006 12:35:47 +0200
On 8/31/06, Neil A. Hillard <m0n0 at dana dot org dot uk> wrote:
> Hi,
> In message
> <1b2623ac0608310825x28d680d7lafec4cd4309f6e36 at mail dot gmail dot com>, Carlo
> Landmeter <clandmeter at gmail dot com> writes
> >I've searched on the list for the following problem which I have.
> >
> >My provider provides me with a subnet of 16ip's for our office to use.
> >i.e. :
> >
> >My internal LAN is normal 10. private C class network:
> >i.e. :
> >
> >I have a monowall with 3 interfaces, LAN WAN and OPT1
> >I would like to use the OPT1 interface as a DMZ for some servers that
> >i have running (i.e. SIP Server). Now to easily accomplish this I've
> >bridged the OPT1 and the WAN interface so I don't have to setup 2
> >networks to be able to route OPT1 to WAN. I also turned on Advanced
> >outbound routing to disable NAT for the OPT1 interface and added a
> >rule to enable it for the LAN interface. I also turned on Proxy ARP on
> >for the whole /28 range. Everything seems to work except of course the
> >problem mentioned here http://doc.m0n0.ch/handbook/faq-bridge.html .
> >But while searching the mailing list i also came across the following
> >post http://m0n0.ch/wall/list/showmsg.php?id=263/80 which tells it
> >should work when Advanced outbound routing is enabled.
> >
> >Could somebody please clarify this please, or does anybody have
> >another solution to allow the above setup which will support LAN
> >access to a bridged DMZ?
> It was me that posted that it's possible and I've had my setup working
> since May 2005 when I got my /29.
> The most important thing to ensure is that traffic from LAN to OPT1 is
> not NAT'd.  If you've put a general 'hide' NAT rule on for LAN then
> that's what will have broken it.
> You will need the following rule to NAT LAN traffic but not that which
> goes to WAN / OPT1 networks:
> Interface       Source          Destination     Target
> WAN        !    *
> You do not need to add proxy ARP entries either - so you'd best remove
> those - they may well mess things up, too!
> I will attempt to document my setup as this does crop up from time to
> time.
> HTH,
>                                 Neil.
> --
> Neil A. Hillard                E-Mail:   m0n0 at dana dot org dot uk
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch

This is strange because this is exactly what I also did with my setup.
Also you mention that I need to disable Proxy ARP because this can
cause problems, but if i do so it won't work at all anymore, those
external IP's won't be accessible anymore.

And what do you mean with "If you've put a general 'hide' NAT rule on
for LAN then
that's what will have broken it."? I don't quite understand that line,
what is a hide rule?

This Advanced outbound nat mapping means:

Interface       Source          Destination     Target
WAN        !    *

Please use NAT for source network but don't do NAT when
you speak to right?

Well in theory this should work if the documentation is right which
says that natted network cannot talk to a bridge but i don't
understand why it doesn't in my situation.

p.s. I've disabled filtered bridge just to make sure it can't be a
firewall issue.