Sorry, regarding the Proxy ARP you are right, I don't need it for the
bridged interface. I only seem to need it for NAT 1:1 and Server NAT.
But disabling it does not seem to fix anything.
On 9/1/06, Carlo Landmeter <clandmeter at gmail dot com> wrote:
> On 8/31/06, Neil A. Hillard <m0n0 at dana dot org dot uk> wrote:
> > Hi,
> > In message
> > <1b2623ac0608310825x28d680d7lafec4cd4309f6e36 at mail dot gmail dot com>, Carlo
> > Landmeter <clandmeter at gmail dot com> writes
> > >I've searched on the list for the following problem which I have.
> > >
> > >My provider provides me with a subnet of 16ip's for our office to use.
> > >i.e. : 22.214.171.124/28
> > >
> > >My internal LAN is normal 10. private C class network:
> > >i.e. : 10.1.1.0/24
> > >
> > >I have a monowall with 3 interfaces, LAN WAN and OPT1
> > >I would like to use the OPT1 interface as a DMZ for some servers that
> > >i have running (i.e. SIP Server). Now to easily accomplish this I've
> > >bridged the OPT1 and the WAN interface so I don't have to setup 2
> > >networks to be able to route OPT1 to WAN. I also turned on Advanced
> > >outbound routing to disable NAT for the OPT1 interface and added a
> > >rule to enable it for the LAN interface. I also turned on Proxy ARP on
> > >for the whole /28 range. Everything seems to work except of course the
> > >problem mentioned here http://doc.m0n0.ch/handbook/faq-bridge.html .
> > >But while searching the mailing list i also came across the following
> > >post http://m0n0.ch/wall/list/showmsg.php?id=263/80 which tells it
> > >should work when Advanced outbound routing is enabled.
> > >
> > >Could somebody please clarify this please, or does anybody have
> > >another solution to allow the above setup which will support LAN
> > >access to a bridged DMZ?
> > It was me that posted that it's possible and I've had my setup working
> > since May 2005 when I got my /29.
> > The most important thing to ensure is that traffic from LAN to OPT1 is
> > not NAT'd. If you've put a general 'hide' NAT rule on for LAN then
> > that's what will have broken it.
> > You will need the following rule to NAT LAN traffic but not that which
> > goes to WAN / OPT1 networks:
> > Interface Source Destination Target
> > WAN 10.1.1.0/24 ! 126.96.36.199/28 *
> > You do not need to add proxy ARP entries either - so you'd best remove
> > those - they may well mess things up, too!
> > I will attempt to document my setup as this does crop up from time to
> > time.
> > HTH,
> > Neil.
> > --
> > Neil A. Hillard E-Mail: m0n0 at dana dot org dot uk
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> > For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> This is strange because this is exactly what I also did with my setup.
> Also you mention that I need to disable Proxy ARP because this can
> cause problems, but if i do so it won't work at all anymore, those
> external IP's won't be accessible anymore.
> And what do you mean with "If you've put a general 'hide' NAT rule on
> for LAN then
> that's what will have broken it."? I don't quite understand that line,
> what is a hide rule?
> This Advanced outbound nat mapping means:
> Interface Source Destination Target
> WAN 10.1.1.0/24 ! 188.8.131.52/28 *
> Please use NAT for source network 10.1.1.0/24 but don't do NAT when
> you speak to 184.108.40.206/28 right?
> Well in theory this should work if the documentation is right which
> says that natted network cannot talk to a bridge but i don't
> understand why it doesn't in my situation.
> p.s. I've disabled filtered bridge just to make sure it can't be a
> firewall issue.