[ previous ] [ next ] [ threads ]
 
 From:  "Neil A. Hillard" <m0n0 at dana dot org dot uk>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] New to m0n0wall install question
 Date:  Thu, 11 Jan 2007 19:29:15 +0000
Hi,

In message <004001c735a5$224cc140$5d0b7f57@DonovansLaptop>, Donovan R.
Palmer <donovan at dmpnet dot org> writes
>I have been reading the administrator's manual, familiarising myself
>with m0n0wall.  One question to insure that I understand correctly...
>
>I have a /28 from my ISP.  My router uses one and my m0n0wall will use
>the other.  I want to use the remaining public IPs in the DMZ and do
>NAT with private IPs in the LAN.
>
>After reading this in the documentation: http://doc.m0n0.ch/handbook/fa
>q-bridge.html , if I understand correctly, my machines in the LAN will
>not be able to access my servers in the DMZ due to a limitation in
>ipnat and bridging.
>
>So, if I use NAT in the DMZ, but do 1 to 1 mapping (public IP to
>private IP), will this get around this problem and allow my machines to
>access servers in the DMZ?
>
>Or is what I am trying to do not possible (mixing Nat and public ips)?
>If so, could I allocate half of the public ips to my LAN and the other
>half to the DMZ to get around this?
>
>Sorry if this is plainly obvious.  This is my first forray into a
>software firewall and I want to be fully read up and understanding what
>I am doing before I invest the time into setting up the hardware.

What you want is entirely possible.  What you have to ensure is that
traffic from LAN to OPT1 is not NATed.  Assuming your WAN / OPT1 IP
address range is 1.2.3.4.0/28 and your LAN is 192.168.0.0/24 then you
would need to enable 'advanced outbound NAT' and add the following rule:

Interface:      WAN

Source:         192.168.0.0/24

Destination:    not Network 1.2.3.4.0/28

Target:

Portmap:        unchecked

Description:    LAN to WAN hide rule


If you want to apply firewalls to OPT1 then you will also need to check
'Enable filtering bridge'.

I have this very configuration and it works very well indeed.

HTH,


                                Neil.

-- 
Neil A. Hillard                E-Mail:   m0n0 at dana dot org dot uk