Hi Zach,

On Thu, 31 Jul 2003, Zach Lowry wrote:

> I have 1:1 nat set up with 3 external IPs going to internal hosts on
> my Lan. When other machines on my Lan try to access these external
> IPs, they get denied. Of course, they can access the internal IPs
> just fine, but that makes like difficult since I'm running name-based
> Virtual Hosts on Apache.

Well, that's a known limitation in ipfilter/ipnat and has been discussed
on this list before; basically, a packet can't "loop through" the WAN
interface. BTW, many commercial firewalls have this limitation, too, so I
don't think it's so serious. You can circumvent the problem at least in
part by adding entries for the internal IPs to the DNS forwarder on
m0n0wall and using the m0n0wall LAN IP as the DNS server for all your LAN
hosts.

> Also, I have a 4521, so I don't have another interface to be a DMZ.
> Is there a way to make the DMZ a different subnet on the lan
> interface, or would that have too serious of security problems? Is

It would render most of the security offered by a DMZ useless...

> there a suggested PCMCIA card to buy to add an additional interface
> to the 4521?

Not really; you'd have to compile a custom kernel to support it anyway (or
maybe use the generic-pc image).

HTH,

Manuel