[ previous ] [ next ] [ threads ]
 
 From:  "Neil A. Hillard" <m0n0 at dana dot org dot uk>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] How to access the DMZ from the LAN?
 Date:  Wed, 17 Jan 2007 00:36:51 +0000
Piet,

        here are my notes on the installation:

Install m0n0wall

Assign Interfaces on console:

        LAN - fxp0
        WAN - xl0
        OPT1 - fxp1

Assign LAN IP address on console - 192.168.0.1

Enable DHCP server on LAN

Upgrade to m0n0wall 1.22

Configure WAN IP address - 192.168.2.245/24, gateway 192.168.2.245

Uncheck 'Block private networks'

Enable OPT1 and bridge with WAN

Reboot

Enable advanced outbound NAT

Add NAT rule:

        Interface:      WAN

        Source:         192.168.0.0/24

        Destination:    NOT Network 192.168.2.0/24

        Description:    LAN to WAN hide rule

Configure host on OPT1 with 192.168.2.246/24, gateway 192.168.2.245

Add firewall rule

Test access to port 80 on 192.168.2.101 on WAN and 192.168.0.199 on LAN


The tests were successful and I didn't have any problems!  I didn't test
completely due to time and facilities I have at home.

My config is below (the password is the default password so feel free to
use it):

<?xml version="1.0"?>
<m0n0wall>
        <version>1.6</version>
        <system>
                <hostname>m0n0wall</hostname>
                <domain>local</domain>
                <dnsserver/>
                <dnsallowoverride/>
                <username>admin</username>
                <password>$1$2xGLA75j$W/jiJc00HYBZX7kFjxjQv0</password>
                <timezone>Etc/UTC</timezone>
                <time-update-interval>300</time-update-interval>
                <timeservers>pool.ntp.org</timeservers>
                <webgui>
                        <protocol>http</protocol>
                        <certificate/>
                        <private-key/>
                </webgui>
                <harddiskstandby/>
        </system>
        <interfaces>
                <lan>
                        <if>fxp0</if>
                        <ipaddr>192.168.0.1</ipaddr>
                        <subnet>24</subnet>
                </lan>
                <wan>
                        <if>xl0</if>
                        <mtu/>
                        <ipaddr>192.168.2.245</ipaddr>
                        <subnet>24</subnet>
                        <gateway>192.168.2.1</gateway>
                        <spoofmac/>
                </wan>
                <opt1>
                        <if>fxp1</if>
                        <descr>OPT1</descr>
                        <ipaddr/>
                        <subnet>31</subnet>
                        <bridge>wan</bridge>
                        <enable/>
                </opt1>
        </interfaces>
        <staticroutes/>
        <pppoe/>
        <pptp/>
        <bigpond/>
        <dyndns>
                <type>dyndns</type>
                <username/>
                <password/>
                <host/>
                <mx/>
        </dyndns>
        <dhcpd>
                <lan>
                        <range>
                                <from>192.168.0.100</from>
                                <to>192.168.0.199</to>
                        </range>
                        <defaultleasetime/>
                        <maxleasetime/>
                        <enable/>
                </lan>
        </dhcpd>
        <pptpd>
                <mode/>
                <redir/>
                <localip/>
                <remoteip/>
        </pptpd>
        <dnsmasq>
                <enable/>
        </dnsmasq>
        <snmpd>
                <syslocation/>
                <syscontact/>
                <rocommunity>public</rocommunity>
        </snmpd>
        <diag>
                <ipv6nat>
                        <ipaddr/>
                </ipv6nat>
        </diag>
        <bridge>
                <filteringbridge/>
        </bridge>
        <syslog/>
        <nat>
                <advancedoutbound>
                        <enable/>
                        <rule>
                                <source>
                                        <network>192.168.0.0/24</network>
                                </source>
                                <descr>LAN to WAN hide rule</descr>
                                <target/>
                                <interface>wan</interface>
                                <destination>
                                        <network>192.168.2.0/24</network>
                                        <not/>
                                </destination>
                        </rule>
                </advancedoutbound>
        </nat>
        <filter>
                <rule>
                        <type>pass</type>
                        <descr>Default LAN -&gt; any</descr>
                        <interface>lan</interface>
                        <source>
                                <network>lan</network>
                        </source>
                        <destination>
                                <any/>
                        </destination>
                </rule>
                <rule>
                        <type>pass</type>
                        <interface>wan</interface>
                        <protocol>tcp</protocol>
                        <source>
                                <address>192.168.2.0/24</address>
                        </source>
                        <destination>
                                <address>192.168.2.246</address>
                        </destination>
                        <descr/>
                </rule>
                <tcpidletimeout/>
        </filter>
        <shaper/>
        <ipsec>
        </ipsec>
        <aliases/>
        <proxyarp/>
        <wol/>
        <lastchange>1168986520</lastchange>
</m0n0wall>

HTH,


                                Neil.

In message <62C7F551 dash A699 dash 4769 dash BD89 dash 0DE0AFF06986 at seiden dot dk>, Piet Seiden
<piet at seiden dot dk> writes
>Thanks,
>it would be nice to have it documented. I'll get back to you if we
>succeed in the meantime.
>Regards,
>Piet
>
>On 16/01/2007, at 20.52, Neil A. Hillard wrote:
>
>> Piet,
>>
>>         I'll dig a box out of the loft and see if I can find a
>>couple of
>> spare NICs to test.  My current box has an onboard Intel (running
>>VLANs
>> to my switch) for LAN and some other OPT interfaces and two 3com
>>3c905s
>> for WAN and OPT1.
>>
>> I'll make a list of operations (assuming it works).  I'll also
>>document
>> it for addition to the manual (in a couple weeks time, after my
>>previous
>> commitments).
>>
>> HTH,
>>
>>
>>                                 Neil.
>>
>> In message <3233921E dash 008F dash 43F8 dash B837 dash 79261325A5FF at seiden dot dk>, Piet
>>Seiden
>> <piet at seiden dot dk> writes
>>> Neil,
>>> we just spend the afternoon trying this, running 1.22 on a PC with
>>> three Intel NIC's. We even went so far as to reset the box to default
>>> configuration, and then applying these rules, but to no avail. As we
>>> can access the DMZ from the Internet, it doesn't seem to be connected
>>> with the rules - and all we did was setting a rule allowing all
>>> traffic on the DMZ, just to make sure we hadn't bungled the rules.
>>> I will try to disable the filtering bridge tomorrow to see if this
>>> makes any difference and test if I can reach other hosts on this
>>> subnet.
>>> Regards,
>>> Piet
>>>
>>>
>>>
>>> On 16/01/2007, at 20.31, Neil A. Hillard wrote:
>>>
>>>> Piet,
>>>>
>>>> In message <116D8A8C dash E6B5 dash 4928 dash ADF0 dash A81592BC0834 at seiden dot dk>, Piet
>>>> Seiden
>>>> <piet at seiden dot dk> writes
>>>>> Together with a colleague I've been trying to set up a m0n0wall
>>>>> with  a
>>>>> DMZ. We have a /24 public IP subnet that we would like to use for a
>>>>> couple of servers in the DMZ - either through bridging the WAN
>>>>>and
>>>>> the
>>>>> OPT1 interfaces or by using 1:1 NAT. We have managed to get it
>>>>> working
>>>>> using both these approaches, but so far we have been unable  to
>>>>> access
>>>>> the DMZ servers from hosts on the LAN. We are aware that  section
>>>>> 16.8
>>>>> in the FAQ mentions this problem with regard to  bridging, but
>>>>>then a
>>>>> couple of notices here on this list by Neil  Hillard have mentioned
>>>>> that this could be overcome by overriding the  outbound NAT default
>>>>> settings. However, we have failed to make this  work for us. Are
>>>>> there
>>>>> any suggestions as to what can be done to make  this work?
>>>>
>>>> It's definitely possible.  Mine has been working for probably
>>>>about 18
>>>> months now.  I'm still using 1.22 and haven't tried this on any
>>>>later
>>>> versions.
>>>>
>>>> It should be a case of the following (assuming your LAN is
>>>> 192.168.0.0/24 and WAN is 1.2.3.0/24):
>>>>
>>>> 1. Set LAN and WAN addresses
>>>>
>>>> 2. Set OPT1 to be bridged with WAN
>>>>
>>>> 3. Enable 'advanced outbound NAT'.
>>>>
>>>> 4. Add the following NAT rule:
>>>>
>>>>         Interface:      WAN
>>>>
>>>>         Source:         192.168.0.0/24
>>>>
>>>>         Destination:    NOT Network 1.2.3.0/24
>>>>
>>>>         Description:    LAN to WAN hide rule
>>>>
>>>> 5. Enable filtering bridge (if you want to)
>>>>
>>>>
>>>> The above rule should then NAT any traffic leaving your WAN
>>>>interface
>>>> that isn't destined to the address range that's on WAN / OPT1.
>>>>
>>>> Please let me know how you get on,
>>>>
>>>>
>>>>                                 Neil.
>>>>
>>>> --  Neil A. Hillard                E-Mail:   m0n0 at dana dot org dot uk
>>>>
>>>> -------------------------------------------------------------------
>>>>-  -
>>>> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>>>> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>>>
>>>
>>> _________________________________
>>> Piet Seiden


>>> tlf. 3694 9833 mobil 2733 9981
>>>
>>>
>>>
>>
>> --  Neil A. Hillard                E-Mail:   m0n0 at dana dot org dot uk
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>
>
>_________________________________
>Piet Seiden


>tlf. 3694 9833 mobil 2733 9981
>
>
>

-- 
Neil A. Hillard                E-Mail:   m0n0 at dana dot org dot uk