On 8/31/06, Neil A. Hillard <m0n0 at dana dot org dot uk> wrote:
> In message
> <1b2623ac0608310825x28d680d7lafec4cd4309f6e36 at mail dot gmail dot com>, Carlo
> Landmeter <clandmeter at gmail dot com> writes
> >I've searched on the list for the following problem which I have.
> >My provider provides me with a subnet of 16ip's for our office to use.
> >i.e. : 126.96.36.199/28
> >My internal LAN is normal 10. private C class network:
> >i.e. : 10.1.1.0/24
> >I have a monowall with 3 interfaces, LAN WAN and OPT1
> >I would like to use the OPT1 interface as a DMZ for some servers that
> >i have running (i.e. SIP Server). Now to easily accomplish this I've
> >bridged the OPT1 and the WAN interface so I don't have to setup 2
> >networks to be able to route OPT1 to WAN. I also turned on Advanced
> >outbound routing to disable NAT for the OPT1 interface and added a
> >rule to enable it for the LAN interface. I also turned on Proxy ARP on
> >for the whole /28 range. Everything seems to work except of course the
> >problem mentioned here http://doc.m0n0.ch/handbook/faq-bridge.html .
> >But while searching the mailing list i also came across the following
> >post http://m0n0.ch/wall/list/showmsg.php?id=263/80 which tells it
> >should work when Advanced outbound routing is enabled.
> >Could somebody please clarify this please, or does anybody have
> >another solution to allow the above setup which will support LAN
> >access to a bridged DMZ?
> It was me that posted that it's possible and I've had my setup working
> since May 2005 when I got my /29.
> The most important thing to ensure is that traffic from LAN to OPT1 is
> not NAT'd. If you've put a general 'hide' NAT rule on for LAN then
> that's what will have broken it.
> You will need the following rule to NAT LAN traffic but not that which
> goes to WAN / OPT1 networks:
> Interface Source Destination Target
> WAN 10.1.1.0/24 ! 188.8.131.52/28 *
> You do not need to add proxy ARP entries either - so you'd best remove
> those - they may well mess things up, too!
> I will attempt to document my setup as this does crop up from time to
> Neil A. Hillard E-Mail: m0n0 at dana dot org dot uk
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
This is strange because this is exactly what I also did with my setup.
Also you mention that I need to disable Proxy ARP because this can
cause problems, but if i do so it won't work at all anymore, those
external IP's won't be accessible anymore.
And what do you mean with "If you've put a general 'hide' NAT rule on
for LAN then
that's what will have broken it."? I don't quite understand that line,
what is a hide rule?
This Advanced outbound nat mapping means:
Interface Source Destination Target
WAN 10.1.1.0/24 ! 184.108.40.206/28 *
Please use NAT for source network 10.1.1.0/24 but don't do NAT when
you speak to 220.127.116.11/28 right?
Well in theory this should work if the documentation is right which
says that natted network cannot talk to a bridge but i don't
understand why it doesn't in my situation.
p.s. I've disabled filtered bridge just to make sure it can't be a