[ previous ] [ next ] [ threads ]
 From:  "Lee Sharp" <leesharp at hal dash pc dot org>
 To:  "Bob Young" <bob at lavamail dot net>
 Cc:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] RE: [monowall] Can Monowall be set to bridging?
 Date:  Mon, 18 Dec 2006 22:35:30 -0600
From: "Bob Young" <bob at lavamail dot net>

> I want to thank you for your reply.

I also sent Bob a private reply, but I will post some stuff here for the 
archives.  After all, some people do occasionally search them. ;-)

> I'm not as well versed in routers (or Monowall), as I would like to be.
> That's probably why I was having trouble understanding this.

> But from what you are saying it looks like I should be able to remote into
> the WAN interface of my Monowall, and from there Monowall will let me 
> bridge
> from the WAN interface to the OPT1 interface of my Monowall.

These terms don't work right.  When you VPN into your WAN IP address, you 
are on a subnet similar to a 4th interface.  Routing, and firewall rules 
work however you set them up.  NAT does not enter the picture with VPN, 
other than outbound browsing of the internet.

> I noticed that the OPT1 interface does allow bridging to the WAN 
> interface.
> There is a drop down box on the OPT1 interface page that allows me to pick
> bridging.  I guess this effectively turns off any routing action between 
> to OPT1. (Am I correct?).

It becomes a switch.  All of a sudden, the WAN port and the OPTx port are 
connected like 2 ports on a switch.  But, you can turn on some firewall 
rules with m0n0wall.

> It looks like I'm converting the Internet signal on my DSL line to the 
> same
> Internet signal, but now on an Ethernet line, which is still using public
> IPs.  So now, I now have to configure my equipment to talk to public IP
> addresses, for any of my equipment that is connected to the OPT1 interface
> (since it is bridged to WAN).

There is a lot here.  Most DSL is also PPPoE, so that needs to happen 
somewhere.  It may happen in the DSL modem, or in m0n0wall.  However, if you 
can plug a hub into your DSL modem, and run multiple computers, you can do 
bridging.  If the second computer can't get an IP, you may not be able to. 
This depends on the number of IP addresses you have available.

> I understand I could connect a router to the OPT1 interface, and use 
> NATting
> on that router, and then use private IP addresses on the LAN side of the
> second router.  (Am I thinking correct about this?).

m0n0wall can function as a router.  You can stack a m0n0wall behind a 
m0n0wall.  I have done this.  However, I think you are trying to solve a 
problem you don't have here.

> I'm thinking that if I do bridge my Monowall from WAN to OPT1 (and use
> public static IP addresses on my equipment), that I will find it easier to
> remotely access the WAN interface from anywhere out on the Internet,(and
> control) my equipment.  (Am I right?).

The WAN interface will be on the internet .  Anything on the OPTx interfaces 
came through the WAN interface.

> If I'm correct, it seems like doing this bridging can have a problem with
> it.  That is, everything must have static public IP addresses.  That can 
> get
> expensive, if I have a bunch of addressable devices after my Monowall.

Yes it can.  This is why we have a lot of NAT functions built into m0n0wall.

> So maybe that is where 1:1 NATting might help out.  I can have some 
> devices
> use private IP addresses on the LAN side of my Monowall. But for the few
> things that I need to remotely access (and thus have private static IP
> addresses), maybe 1:1 NATting will let me remotely access and control my
> equipment on my LAN?  (Am I correct?).

1:1 NAT is port forwarding.  I have many networks with 20 machines behind a 
single m0n0wall on one IP address fully accessible from the internet. 
However, it is not always user friendly that way. :-)

> If I'm correct about this 1:1 NATting, then that means I'm going to have 
> to
> figure out how to do 1:1 NATting...lol.

It is easier than you think.  It is basically job based delegating.  Web 
traffic goes here, e-mail goes here, and FTP goes here...

> But you also mentioned "server NAT".  I have no idea in the world what
> "server NAT" is.  I'm going to have to do more learning in that area.

Server NAT is where you define an entire IP address to a server, but it has 
a private address (192.168.x.x) and is on the LAN, or DMZ.  You need an 
additional IP address to do this, but it sometimes has advantages over