[ previous ] [ next ] [ threads ]
 
 From:  Manuel Kasper <mk at neon1 dot net>
 To:  Zach Lowry <zach at zachlowry dot net>
 Cc:  M0n0wall <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] 1:1 Nat
 Date:  Thu, 31 Jul 2003 22:18:51 +0200 (CEST)
Hi Zach,

On Thu, 31 Jul 2003, Zach Lowry wrote:

> I have 1:1 nat set up with 3 external IPs going to internal hosts on
> my Lan. When other machines on my Lan try to access these external
> IPs, they get denied. Of course, they can access the internal IPs
> just fine, but that makes like difficult since I'm running name-based
> Virtual Hosts on Apache.

Well, that's a known limitation in ipfilter/ipnat and has been discussed
on this list before; basically, a packet can't "loop through" the WAN
interface. BTW, many commercial firewalls have this limitation, too, so I
don't think it's so serious. You can circumvent the problem at least in

m0n0wall and using the m0n0wall LAN IP as the DNS server for all your LAN
hosts.

> Also, I have a 4521, so I don't have another interface to be a DMZ.
> Is there a way to make the DMZ a different subnet on the lan
> interface, or would that have too serious of security problems? Is

It would render most of the security offered by a DMZ useless...

> there a suggested PCMCIA card to buy to add an additional interface
> to the 4521?

Not really; you'd have to compile a custom kernel to support it anyway (or
maybe use the generic-pc image).

HTH,

Manuel