[ previous ] [ next ] [ threads ]
 From:  "Neil A. Hillard" <m0n0 at dana dot org dot uk>
 To:  m0n0wall at lists dot m0n0 dot ch
 Cc:  Tom Yerex <tomyerex at gmail dot com>
 Subject:  Re: [m0n0wall] Implementation question
 Date:  Tue, 12 Dec 2006 22:44:58 +0000

>Thank you for responding, I appreciate your time. VLANs are in common
>use here, what happened when you tried to create a bride with VLAN

Basically it plain and simple didn't work!  Everything appeared to be OK
but packets weren't being forwarded to the bridged interface.  The only
way to resolve it was to have both interfaces in the bridge on physical

I now have three physical interfaces in my firewall - WAN, OPT1 and the
third with VLAN tagging running LAN and several OPT interfaces.  They
are all connected to the same switch so WAN and OPT1 are then placed on
their own VLANs.

It was a pain as I was hoping to get away with a single interface, but
thankfully I have enough switch ports free to be able to do this.  It's
been working for quite a while with no problems.



>On 12/11/06, Neil A. Hillard <m0n0 at dana dot org dot uk> wrote:
>  Hi,
>  >I am looking for suggestions on my planned implementation for the
>  following
>  >network topology...
>  >
>  >I am using m0n0wall to implement a small LAN/DMZ/WAN network, there
>  are 4
>  >servers within the DMZ segment, which include a MS-Windows server
>  and mail
>  >server, and there are a number of clients within the LAN segment
>  running
>  >MS-Windows based operating systems. Users in the LAN/WAN segments
>  will need
>  >to have access to the DMZ for file/print sharing and mail.
>  >
>  >I have been told that m0n0wall can drop connections when accessing
>  the
>  >DMZ(OPT1) interface from the LAN interface, and I am looking for
>  >confirmation if this is the case.
>  By default m0n0wall is configured to allow LAN access to anything.  
>  You
>  are free to change / remove that rule if necessary so you are able
>  to
>  control the access from LAN to OPT if necessary.
>  >My current thought is to configure the LAN
>  >segment with m0n0wall handling DHCP and NAT, and configure the DMZ
>  segment
>  >with a bridge filter.
>  I assume you mean bridging OPT with WAN.  With your four servers you
>  will need a minimum of six IP addresses (4 servers, 1 for the
>  firewall
>  and 1 for the router on WAN).
>  You will need to enable filtered bridging and advanced NAT
>  (otherwise
>  you won't be able to access OPT from LAN).  You will then need to
>  ensure
>  that there is a NAT rule for LAN traffic destined for the WAN.
>  I have my m0n0wall in that exact configuration and haven't had any
>  problems.  I also have a number of other OPT interfaces on wireless
>  networks etc.
>  You should also bear in mind that you cannot created a bridge with
>  interfaces (that's my experience, anyway).
>  HTH,
>                                  Neil.
>  --
>  Neil A. Hillard                E-Mail:   m0n0 at dana dot org dot uk
>  ---------------------------------------------------------------------
>  To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>  For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch

Neil A. Hillard                E-Mail:   m0n0 at dana dot org dot uk