[ previous ] [ next ] [ threads ]
 
 From:  "Carlo Landmeter" <clandmeter at gmail dot com>
 To:  "Neil A. Hillard" <m0n0 at dana dot org dot uk>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Bridged OPT1 with WAN and advanced outbound routing.
 Date:  Fri, 1 Sep 2006 12:35:47 +0200 
On 8/31/06, Neil A. Hillard <m0n0 at dana dot org dot uk> wrote:
> Hi,
>
> In message
> <1b2623ac0608310825x28d680d7lafec4cd4309f6e36 at mail dot gmail dot com>, Carlo
> Landmeter <clandmeter at gmail dot com> writes
> >I've searched on the list for the following problem which I have.
> >
> >My provider provides me with a subnet of 16ip's for our office to use.
> >i.e. : 1.2.3.0/28
> >
> >My internal LAN is normal 10. private C class network:
> >i.e. : 10.1.1.0/24
> >
> >I have a monowall with 3 interfaces, LAN WAN and OPT1
> >I would like to use the OPT1 interface as a DMZ for some servers that
> >i have running (i.e. SIP Server). Now to easily accomplish this I've
> >bridged the OPT1 and the WAN interface so I don't have to setup 2
> >networks to be able to route OPT1 to WAN. I also turned on Advanced
> >outbound routing to disable NAT for the OPT1 interface and added a
> >rule to enable it for the LAN interface. I also turned on Proxy ARP on
> >for the whole /28 range. Everything seems to work except of course the
> >problem mentioned here http://doc.m0n0.ch/handbook/faq-bridge.html .
> >But while searching the mailing list i also came across the following
> >post http://m0n0.ch/wall/list/showmsg.php?id=263/80 which tells it
> >should work when Advanced outbound routing is enabled.
> >
> >Could somebody please clarify this please, or does anybody have
> >another solution to allow the above setup which will support LAN
> >access to a bridged DMZ?
>
> It was me that posted that it's possible and I've had my setup working
> since May 2005 when I got my /29.
>
> The most important thing to ensure is that traffic from LAN to OPT1 is
> not NAT'd.  If you've put a general 'hide' NAT rule on for LAN then
> that's what will have broken it.
>
> You will need the following rule to NAT LAN traffic but not that which
> goes to WAN / OPT1 networks:
>
> Interface       Source          Destination     Target
> WAN             10.1.1.0/24     ! 1.2.3.0/28    *
>
> You do not need to add proxy ARP entries either - so you'd best remove
> those - they may well mess things up, too!
>
> I will attempt to document my setup as this does crop up from time to
> time.
>
> HTH,
>
>
>                                 Neil.
>
> --
> Neil A. Hillard                E-Mail:   m0n0 at dana dot org dot uk
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>



This is strange because this is exactly what I also did with my setup.
Also you mention that I need to disable Proxy ARP because this can
cause problems, but if i do so it won't work at all anymore, those
external IP's won't be accessible anymore.

And what do you mean with "If you've put a general 'hide' NAT rule on
for LAN then
that's what will have broken it."? I don't quite understand that line,
what is a hide rule?

This Advanced outbound nat mapping means:

Interface       Source          Destination     Target
WAN             10.1.1.0/24     ! 1.2.3.0/28    *

Please use NAT for source network 10.1.1.0/24 but don't do NAT when
you speak to 1.2.3.0/28 right?

Well in theory this should work if the documentation is right which
says that natted network cannot talk to a bridge but i don't
understand why it doesn't in my situation.

p.s. I've disabled filtered bridge just to make sure it can't be a
firewall issue.

br,

Carlo