On Thu, 31 Jul 2003, Zach Lowry wrote:
> I have 1:1 nat set up with 3 external IPs going to internal hosts on
> my Lan. When other machines on my Lan try to access these external
> IPs, they get denied. Of course, they can access the internal IPs
> just fine, but that makes like difficult since I'm running name-based
> Virtual Hosts on Apache.
Well, that's a known limitation in ipfilter/ipnat and has been discussed
on this list before; basically, a packet can't "loop through" the WAN
interface. BTW, many commercial firewalls have this limitation, too, so I
don't think it's so serious. You can circumvent the problem at least in
m0n0wall and using the m0n0wall LAN IP as the DNS server for all your LAN
> Also, I have a 4521, so I don't have another interface to be a DMZ.
> Is there a way to make the DMZ a different subnet on the lan
> interface, or would that have too serious of security problems? Is
It would render most of the security offered by a DMZ useless...
> there a suggested PCMCIA card to buy to add an additional interface
> to the 4521?
Not really; you'd have to compile a custom kernel to support it anyway (or
maybe use the generic-pc image).