Can somebody please explain to me the m0n0wall internal model in case
the DMZ is bridged with the WAN? I'm obviously missing something.
Let me show you what I have in terms of how I understand it (and I think
there's probably an error in my understanding, so please point it out to
WAN interface sits in net 123.34.1/24, bridged with DMZ interface. I'
moving servers from the WAN to the DMZ (to subject them to the DMZ
filtering rules for outgoing and the WAN filtering rules for incoming
connections; that part works fine!).
LAN is 192.168.1/24 (straightforward NAT into 123.45.1/24, where the
m0n0wall sits on 184.108.40.206).
Firewall rules for all interfaces (DMZ, LAN, and WAN) essentially allow
all traffic to the entire 123.45.1/24 net.
I always imagined that as follows (and the model worked until I tried to
access services in the DMZ):
Now if I have a server 220.127.116.11 and I put it in the WAN I can connect
to it from both LAN and DMZ fine, but as soon as I put it in the DMZ I
cannot connect to it from the LAN anymore. Connecting from WAN is, as
expected, no problem.
Apparently there is not really a single 123.45.1/24 with a filtering
bridge in the middle, because, while the bridge behaves as expected,
there's something odd with the way 18.104.22.168 (with the LAN netted
behind it) sits in that network. That part behaves asymmetrically
towards DMZ and WAN.
What's the real story?