[ previous ] [ next ] [ threads ]
 From:  "Neil A. Hillard" <m0n0 at dana dot org dot uk>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] How to access the DMZ from the LAN?
 Date:  Tue, 16 Jan 2007 19:31:33 +0000

In message <116D8A8C dash E6B5 dash 4928 dash ADF0 dash A81592BC0834 at seiden dot dk>, Piet Seiden
<piet at seiden dot dk> writes
>Together with a colleague I've been trying to set up a m0n0wall with  a
>DMZ. We have a /24 public IP subnet that we would like to use for a
>couple of servers in the DMZ - either through bridging the WAN and  the
>OPT1 interfaces or by using 1:1 NAT. We have managed to get it  working
>using both these approaches, but so far we have been unable  to access
>the DMZ servers from hosts on the LAN. We are aware that  section 16.8
>in the FAQ mentions this problem with regard to  bridging, but then a
>couple of notices here on this list by Neil  Hillard have mentioned
>that this could be overcome by overriding the  outbound NAT default
>settings. However, we have failed to make this  work for us. Are there
>any suggestions as to what can be done to make  this work?

It's definitely possible.  Mine has been working for probably about 18
months now.  I'm still using 1.22 and haven't tried this on any later

It should be a case of the following (assuming your LAN is and WAN is

1. Set LAN and WAN addresses

2. Set OPT1 to be bridged with WAN

3. Enable 'advanced outbound NAT'.

4. Add the following NAT rule:

        Interface:      WAN


        Destination:    NOT Network

        Description:    LAN to WAN hide rule

5. Enable filtering bridge (if you want to)

The above rule should then NAT any traffic leaving your WAN interface
that isn't destined to the address range that's on WAN / OPT1.

Please let me know how you get on,


Neil A. Hillard                E-Mail:   m0n0 at dana dot org dot uk