[ previous ] [ next ] [ threads ]
 
 From:  "Carlo Landmeter" <clandmeter at gmail dot com>
 To:  "Neil A. Hillard" <m0n0 at dana dot org dot uk>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Bridged OPT1 with WAN and advanced outbound routing.
 Date:  Fri, 1 Sep 2006 16:06:02 +0200
Sorry, regarding the Proxy ARP you are right, I don't need it for the
bridged interface. I only seem to need it for NAT 1:1 and Server NAT.
But disabling it does not seem to fix anything.

Carlo



On 9/1/06, Carlo Landmeter <clandmeter at gmail dot com> wrote:
> On 8/31/06, Neil A. Hillard <m0n0 at dana dot org dot uk> wrote:
> > Hi,
> >
> > In message
> > <1b2623ac0608310825x28d680d7lafec4cd4309f6e36 at mail dot gmail dot com>, Carlo
> > Landmeter <clandmeter at gmail dot com> writes
> > >I've searched on the list for the following problem which I have.
> > >
> > >My provider provides me with a subnet of 16ip's for our office to use.
> > >i.e. : 1.2.3.0/28
> > >
> > >My internal LAN is normal 10. private C class network:
> > >i.e. : 10.1.1.0/24
> > >
> > >I have a monowall with 3 interfaces, LAN WAN and OPT1
> > >I would like to use the OPT1 interface as a DMZ for some servers that
> > >i have running (i.e. SIP Server). Now to easily accomplish this I've
> > >bridged the OPT1 and the WAN interface so I don't have to setup 2
> > >networks to be able to route OPT1 to WAN. I also turned on Advanced
> > >outbound routing to disable NAT for the OPT1 interface and added a
> > >rule to enable it for the LAN interface. I also turned on Proxy ARP on
> > >for the whole /28 range. Everything seems to work except of course the
> > >problem mentioned here http://doc.m0n0.ch/handbook/faq-bridge.html .
> > >But while searching the mailing list i also came across the following
> > >post http://m0n0.ch/wall/list/showmsg.php?id=263/80 which tells it
> > >should work when Advanced outbound routing is enabled.
> > >
> > >Could somebody please clarify this please, or does anybody have
> > >another solution to allow the above setup which will support LAN
> > >access to a bridged DMZ?
> >
> > It was me that posted that it's possible and I've had my setup working
> > since May 2005 when I got my /29.
> >
> > The most important thing to ensure is that traffic from LAN to OPT1 is
> > not NAT'd.  If you've put a general 'hide' NAT rule on for LAN then
> > that's what will have broken it.
> >
> > You will need the following rule to NAT LAN traffic but not that which
> > goes to WAN / OPT1 networks:
> >
> > Interface       Source          Destination     Target
> > WAN             10.1.1.0/24     ! 1.2.3.0/28    *
> >
> > You do not need to add proxy ARP entries either - so you'd best remove
> > those - they may well mess things up, too!
> >
> > I will attempt to document my setup as this does crop up from time to
> > time.
> >
> > HTH,
> >
> >
> >                                 Neil.
> >
> > --
> > Neil A. Hillard                E-Mail:   m0n0 at dana dot org dot uk
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> > For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> >
> >
>
>
>
> This is strange because this is exactly what I also did with my setup.
> Also you mention that I need to disable Proxy ARP because this can
> cause problems, but if i do so it won't work at all anymore, those
> external IP's won't be accessible anymore.
>
> And what do you mean with "If you've put a general 'hide' NAT rule on
> for LAN then
> that's what will have broken it."? I don't quite understand that line,
> what is a hide rule?
>
> This Advanced outbound nat mapping means:
>
> Interface       Source          Destination     Target
> WAN             10.1.1.0/24     ! 1.2.3.0/28    *
>
> Please use NAT for source network 10.1.1.0/24 but don't do NAT when
> you speak to 1.2.3.0/28 right?
>
> Well in theory this should work if the documentation is right which
> says that natted network cannot talk to a bridge but i don't
> understand why it doesn't in my situation.
>
> p.s. I've disabled filtered bridge just to make sure it can't be a
> firewall issue.
>
> br,
>
> Carlo
>