[ previous ] [ next ] [ threads ]
 
 From:  "Neil A. Hillard" <m0n0 at dana dot org dot uk>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Bridged OPT1 with WAN and advanced outbound routing.
 Date:  Sun, 3 Sep 2006 12:16:12 +0100
Hi,

In message
<1b2623ac0609010706y31370898xa8bcefd708822a80 at mail dot gmail dot com>, Carlo
Landmeter <clandmeter at gmail dot com> writes
>Sorry, regarding the Proxy ARP you are right, I don't need it for the
>bridged interface. I only seem to need it for NAT 1:1 and Server NAT.
>But disabling it does not seem to fix anything.

Hmm...  I don't understand.  Mine's been working fine for ages and I
didn't have any problems setting it up!

If you can, try resetting to 'Factory Defaults', then:

o Change the IP address on WAN and LAN to match your network

o Bridge OPT1 to WAN

o Enable Filtering Bridge

o Enable Advanced NAT and add only the following rule:

        Interface:      WAN
        Source:         10.1.1.0/24
        Destination:    NOT
                        Network
                        1.2.3.0/28
        Target:         <blank>
        Portmap:        <unticked>
        Description:    LAN to WAN hide rule

That should be all you need.  I haven't tried it from factory defaults
myself as my box is up and running, with a mail server, web server and
Asterisk box behind it I can't easily take it down.

If you still have problems I'll get one of my test boxes out and attempt
to configure it up, from scratch, and document it at the same time.


                                Neil.

>On 9/1/06, Carlo Landmeter <clandmeter at gmail dot com> wrote:
>> On 8/31/06, Neil A. Hillard <m0n0 at dana dot org dot uk> wrote:
>> > Hi,
>> >
>> > In message
>> > <1b2623ac0608310825x28d680d7lafec4cd4309f6e36 at mail dot gmail dot com>, Carlo
>> > Landmeter <clandmeter at gmail dot com> writes
>> > >I've searched on the list for the following problem which I have.
>> > >
>> > >My provider provides me with a subnet of 16ip's for our office to use.
>> > >i.e. : 1.2.3.0/28
>> > >
>> > >My internal LAN is normal 10. private C class network:
>> > >i.e. : 10.1.1.0/24
>> > >
>> > >I have a monowall with 3 interfaces, LAN WAN and OPT1
>> > >I would like to use the OPT1 interface as a DMZ for some servers that
>> > >i have running (i.e. SIP Server). Now to easily accomplish this I've
>> > >bridged the OPT1 and the WAN interface so I don't have to setup 2
>> > >networks to be able to route OPT1 to WAN. I also turned on Advanced
>> > >outbound routing to disable NAT for the OPT1 interface and added a
>> > >rule to enable it for the LAN interface. I also turned on Proxy ARP on
>> > >for the whole /28 range. Everything seems to work except of course the
>> > >problem mentioned here http://doc.m0n0.ch/handbook/faq-bridge.html .
>> > >But while searching the mailing list i also came across the following
>> > >post http://m0n0.ch/wall/list/showmsg.php?id=263/80 which tells it
>> > >should work when Advanced outbound routing is enabled.
>> > >
>> > >Could somebody please clarify this please, or does anybody have
>> > >another solution to allow the above setup which will support LAN
>> > >access to a bridged DMZ?
>> >
>> > It was me that posted that it's possible and I've had my setup working
>> > since May 2005 when I got my /29.
>> >
>> > The most important thing to ensure is that traffic from LAN to OPT1 is
>> > not NAT'd.  If you've put a general 'hide' NAT rule on for LAN then
>> > that's what will have broken it.
>> >
>> > You will need the following rule to NAT LAN traffic but not that which
>> > goes to WAN / OPT1 networks:
>> >
>> > Interface       Source          Destination     Target
>> > WAN             10.1.1.0/24     ! 1.2.3.0/28    *
>> >
>> > You do not need to add proxy ARP entries either - so you'd best remove
>> > those - they may well mess things up, too!
>> >
>> > I will attempt to document my setup as this does crop up from time to
>> > time.
>> >
>> > HTH,
>> >
>> >
>> >                                 Neil.
>> >
>> > --
>> > Neil A. Hillard                E-Mail:   m0n0 at dana dot org dot uk
>> >
>> > ---------------------------------------------------------------------
>> > To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>> > For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>> >
>> >
>>
>>
>>
>> This is strange because this is exactly what I also did with my setup.
>> Also you mention that I need to disable Proxy ARP because this can
>> cause problems, but if i do so it won't work at all anymore, those
>> external IP's won't be accessible anymore.
>>
>> And what do you mean with "If you've put a general 'hide' NAT rule on
>> for LAN then
>> that's what will have broken it."? I don't quite understand that line,
>> what is a hide rule?
>>
>> This Advanced outbound nat mapping means:
>>
>> Interface       Source          Destination     Target
>> WAN             10.1.1.0/24     ! 1.2.3.0/28    *
>>
>> Please use NAT for source network 10.1.1.0/24 but don't do NAT when
>> you speak to 1.2.3.0/28 right?
>>
>> Well in theory this should work if the documentation is right which
>> says that natted network cannot talk to a bridge but i don't
>> understand why it doesn't in my situation.
>>
>> p.s. I've disabled filtered bridge just to make sure it can't be a
>> firewall issue.
>>
>> br,
>>
>> Carlo
>>

-- 
Neil A. Hillard                E-Mail:   m0n0 at dana dot org dot uk