[ previous ] [ next ] [ threads ]
 
 From:  Christiaens Joachim <jchristi at oce dot be>
 To:  "'Thomas Biedorf'" <tom at startmovie dot net>, m0n0wall at lists dot m0n0 dot ch
 Subject:  RE: [m0n0wall] How to route "real" IPs from WAN to DMZ?
 Date:  Tue, 22 Jul 2003 15:39:15 +0200
Well, the router doesn't really push the packets to the m0n0wall, because it
assumes the servers live on the local subnet (no need to push the traffic
trough a gateway/router then)...
The router seeks the servers and doesn't get a reply on the local subnet, so
the traffic never reaches the m0n0wall (not in a form so m0n0wall sees it as
meant for it)...

You *NEED* to change the default gateway of your servers to the m0n0-DMZ
address (because they cannot reach the ISP router directly), but that won't
be enough, i'm sorry... :-(

Do you have many servers running? Otherwise, changeing the IP's isn't that
much work, because the will still be reachable on their public (cuurent)
adresses too! (so no DNS trouble etc...)

The other alternative is putting the interfaces in bridge. This way they
will both have the same IP and forward the traffic just like you explain you
want it. But you loose the firewalling capability of m0n0wall that way, and
that does not make much sense anymore ;-)

I know it can be done, but not yet in m0n0wall, maybe there are some FreeBSD
guru's who want to write little patch and contribute it (so Manuel can add
it in between his military service and other work :-)

Greets,
Joachim

-----Original Message-----
From: Thomas Biedorf [mailto:tom at startmovie dot net]
Sent: dinsdag 22 juli 2003 15:16
To: m0n0wall at lists dot m0n0 dot ch
Subject: RE: [m0n0wall] How to route "real" IPs from WAN to DMZ?


Christiaens Joachim wrote:

> For EXAMPLE, use a 1.1.1.0/27 subnet on your WAN side
> - 1.1.1.1/27 for your ISP's router
> - 1.1.1.2/27 for your m0n0-WAN
> - (1.1.1.0 = network addr, 1.1.1.31 = broadcast)
>
> and use a 1.1.1.32/27 subnet for your DMZ
> - 1.1.1.33/27 for your m0n0-DMZ
> - 1.1.1.34/27 - 1.1.1.62/27 for your servers
> - (1.1.1.32 = network addr, 1.1.1.63 = broadcast)
>
> you'll have to redefine your routes in the ISP's router for it to work,
> because it needs to push traffic for the DMZ-servers to the m0n0wall, 
> on the
> other subnet...

Ok, I understand. But I don't have the possibility to change the 
routing tables on the ISPs router :-(
The router is connected directly to the WAN interface of m0n0wall. 
Isn't there any chance to do it?
And the heck, no, I don't want to redefine all IPs of our Servers to do 
a NAT. ;-)

What I don't get is: The ISP router serves all IPs to m0n0wall. Why 
can't m0n0wall decide, where to route the remaining IPs (since m0m0wall 
needs two of them)? Would it work if I define the m0n0wall IP of the 
DMZ on our servers as a gateway?
Maybe there are some more ideas out there? Ok, I am not really an 
IP-guru, please forgive my ignorance!

BTW: Thanks Christiaens!

Kind regards,
Thomas


---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch


-----------------------------------------------
MISSION STATEMENT 
-----------------------------------------------
Oce enables its customers to manage their documents efficiently and
effectively by offering innovative print and document management products
and services for professional environments.

-----------------------------------------------
DISCLAIMER 
-----------------------------------------------
This e-mail message and any attachment are intended for the sole use of the
recipient(s) named above and may contain information which is confidential
and/or protected by intellectual property rights.
Any use of the information contained herein (including, but not limited to,
total or partial reproduction, communication or distribution in any form) by
other persons than the designated recipient(s) is prohibited.

If you have received this e-mail in error, please notify the sender either
by telephone (0032-2-729.48.11) or by e-mail and delete the material from
any computer.
Oce-Belgium/Oce-Interservices is nor responsible for the correct and
complete transfer of the contents of the sent e-mail, neither for the
receipt on due time.  This e-mail message does not bring about a contractual
obligation for Oce-Belgium/Oce-Interservices.

Thank you for your cooperation.

For further information about Oce-Belgium/Oce-Interservices please see our
website at www.oce.be

-----------------------------------------------