[ previous ] [ next ] [ threads ]
 From:  Manuel Kasper <mk at neon1 dot net>
 To:  Zach Lowry <zach at zachlowry dot net>
 Cc:  M0n0wall <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] 1:1 Nat
 Date:  Thu, 31 Jul 2003 22:18:51 +0200 (CEST)
Hi Zach,

On Thu, 31 Jul 2003, Zach Lowry wrote:

> I have 1:1 nat set up with 3 external IPs going to internal hosts on
> my Lan. When other machines on my Lan try to access these external
> IPs, they get denied. Of course, they can access the internal IPs
> just fine, but that makes like difficult since I'm running name-based
> Virtual Hosts on Apache.

Well, that's a known limitation in ipfilter/ipnat and has been discussed
on this list before; basically, a packet can't "loop through" the WAN
interface. BTW, many commercial firewalls have this limitation, too, so I
don't think it's so serious. You can circumvent the problem at least in
part by adding entries for the internal IPs to the DNS forwarder on
m0n0wall and using the m0n0wall LAN IP as the DNS server for all your LAN

> Also, I have a 4521, so I don't have another interface to be a DMZ.
> Is there a way to make the DMZ a different subnet on the lan
> interface, or would that have too serious of security problems? Is

It would render most of the security offered by a DMZ useless...

> there a suggested PCMCIA card to buy to add an additional interface
> to the 4521?

Not really; you'd have to compile a custom kernel to support it anyway (or
maybe use the generic-pc image).