[ previous ] [ next ] [ threads ]
 From:  "Neil A. Hillard" <m0n0 at dana dot org dot uk>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Implementation question
 Date:  Mon, 11 Dec 2006 22:58:20 +0000

>I am looking for suggestions on my planned implementation for the following
>network topology...
>I am using m0n0wall to implement a small LAN/DMZ/WAN network, there are 4
>servers within the DMZ segment, which include a MS-Windows server and mail
>server, and there are a number of clients within the LAN segment running
>MS-Windows based operating systems. Users in the LAN/WAN segments will need
>to have access to the DMZ for file/print sharing and mail.
>I have been told that m0n0wall can drop connections when accessing the
>DMZ(OPT1) interface from the LAN interface, and I am looking for
>confirmation if this is the case.

By default m0n0wall is configured to allow LAN access to anything.  You
are free to change / remove that rule if necessary so you are able to
control the access from LAN to OPT if necessary.

>My current thought is to configure the LAN
>segment with m0n0wall handling DHCP and NAT, and configure the DMZ segment
>with a bridge filter.

I assume you mean bridging OPT with WAN.  With your four servers you
will need a minimum of six IP addresses (4 servers, 1 for the firewall
and 1 for the router on WAN).

You will need to enable filtered bridging and advanced NAT (otherwise
you won't be able to access OPT from LAN).  You will then need to ensure
that there is a NAT rule for LAN traffic destined for the WAN.

I have my m0n0wall in that exact configuration and haven't had any
problems.  I also have a number of other OPT interfaces on wireless
networks etc.

You should also bear in mind that you cannot created a bridge with VLAN
interfaces (that's my experience, anyway).



Neil A. Hillard                E-Mail:   m0n0 at dana dot org dot uk