[ previous ] [ next ] [ threads ]
 
 From:  "Neil A. Hillard" <m0n0 at dana dot org dot uk>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] How to access the DMZ from the LAN?
 Date:  Tue, 16 Jan 2007 19:52:06 +0000
Piet,

        I'll dig a box out of the loft and see if I can find a couple of
spare NICs to test.  My current box has an onboard Intel (running VLANs
to my switch) for LAN and some other OPT interfaces and two 3com 3c905s
for WAN and OPT1.

I'll make a list of operations (assuming it works).  I'll also document
it for addition to the manual (in a couple weeks time, after my previous
commitments).

HTH,


                                Neil.

In message <3233921E dash 008F dash 43F8 dash B837 dash 79261325A5FF at seiden dot dk>, Piet Seiden
<piet at seiden dot dk> writes
>Neil,
>we just spend the afternoon trying this, running 1.22 on a PC with
>three Intel NIC's. We even went so far as to reset the box to default
>configuration, and then applying these rules, but to no avail. As we
>can access the DMZ from the Internet, it doesn't seem to be connected
>with the rules - and all we did was setting a rule allowing all
>traffic on the DMZ, just to make sure we hadn't bungled the rules.
>I will try to disable the filtering bridge tomorrow to see if this
>makes any difference and test if I can reach other hosts on this
>subnet.
>Regards,
>Piet
>
>
>
>On 16/01/2007, at 20.31, Neil A. Hillard wrote:
>
>> Piet,
>>
>> In message <116D8A8C dash E6B5 dash 4928 dash ADF0 dash A81592BC0834 at seiden dot dk>, Piet
>>Seiden
>> <piet at seiden dot dk> writes
>>> Together with a colleague I've been trying to set up a m0n0wall
>>>with  a
>>> DMZ. We have a /24 public IP subnet that we would like to use for a
>>> couple of servers in the DMZ - either through bridging the WAN   and
>>>the
>>> OPT1 interfaces or by using 1:1 NAT. We have managed to get it
>>>working
>>> using both these approaches, but so far we have been unable  to
>>>access
>>> the DMZ servers from hosts on the LAN. We are aware that  section
>>>16.8
>>> in the FAQ mentions this problem with regard to  bridging, but then a
>>> couple of notices here on this list by Neil  Hillard have mentioned
>>> that this could be overcome by overriding the  outbound NAT default
>>> settings. However, we have failed to make this  work for us. Are
>>>there
>>> any suggestions as to what can be done to make  this work?
>>
>> It's definitely possible.  Mine has been working for probably about 18
>> months now.  I'm still using 1.22 and haven't tried this on any later
>> versions.
>>
>> It should be a case of the following (assuming your LAN is
>> 192.168.0.0/24 and WAN is 1.2.3.0/24):
>>
>> 1. Set LAN and WAN addresses
>>
>> 2. Set OPT1 to be bridged with WAN
>>
>> 3. Enable 'advanced outbound NAT'.
>>
>> 4. Add the following NAT rule:
>>
>>         Interface:      WAN
>>
>>         Source:         192.168.0.0/24
>>
>>         Destination:    NOT Network 1.2.3.0/24
>>
>>         Description:    LAN to WAN hide rule
>>
>> 5. Enable filtering bridge (if you want to)
>>
>>
>> The above rule should then NAT any traffic leaving your WAN interface
>> that isn't destined to the address range that's on WAN / OPT1.
>>
>> Please let me know how you get on,
>>
>>
>>                                 Neil.
>>
>> --  Neil A. Hillard                E-Mail:   m0n0 at dana dot org dot uk
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>
>
>_________________________________
>Piet Seiden


>tlf. 3694 9833 mobil 2733 9981
>
>
>

-- 
Neil A. Hillard                E-Mail:   m0n0 at dana dot org dot uk