Piet,
here are my notes on the installation:
Install m0n0wall
Assign Interfaces on console:
LAN - fxp0
WAN - xl0
OPT1 - fxp1
Assign LAN IP address on console - 192.168.0.1
Enable DHCP server on LAN
Upgrade to m0n0wall 1.22
Configure WAN IP address - 192.168.2.245/24, gateway 192.168.2.245
Uncheck 'Block private networks'
Enable OPT1 and bridge with WAN
Reboot
Enable advanced outbound NAT
Add NAT rule:
Interface: WAN
Source: 192.168.0.0/24
Destination: NOT Network 192.168.2.0/24
Description: LAN to WAN hide rule
Configure host on OPT1 with 192.168.2.246/24, gateway 192.168.2.245
Add firewall rule
Test access to port 80 on 192.168.2.101 on WAN and 192.168.0.199 on LAN
The tests were successful and I didn't have any problems! I didn't test
completely due to time and facilities I have at home.
My config is below (the password is the default password so feel free to
use it):
<?xml version="1.0"?>
<m0n0wall>
<version>1.6</version>
<system>
<hostname>m0n0wall</hostname>
<domain>local</domain>
<dnsserver/>
<dnsallowoverride/>
<username>admin</username>
<password>$1$2xGLA75j$W/jiJc00HYBZX7kFjxjQv0</password>
<timezone>Etc/UTC</timezone>
<time-update-interval>300</time-update-interval>
<timeservers>pool.ntp.org</timeservers>
<webgui>
<protocol>http</protocol>
<certificate/>
<private-key/>
</webgui>
<harddiskstandby/>
</system>
<interfaces>
<lan>
<if>fxp0</if>
<ipaddr>192.168.0.1</ipaddr>
<subnet>24</subnet>
</lan>
<wan>
<if>xl0</if>
<mtu/>
<ipaddr>192.168.2.245</ipaddr>
<subnet>24</subnet>
<gateway>192.168.2.1</gateway>
<spoofmac/>
</wan>
<opt1>
<if>fxp1</if>
<descr>OPT1</descr>
<ipaddr/>
<subnet>31</subnet>
<bridge>wan</bridge>
<enable/>
</opt1>
</interfaces>
<staticroutes/>
<pppoe/>
<pptp/>
<bigpond/>
<dyndns>
<type>dyndns</type>
<username/>
<password/>
<host/>
<mx/>
</dyndns>
<dhcpd>
<lan>
<range>
<from>192.168.0.100</from>
<to>192.168.0.199</to>
</range>
<defaultleasetime/>
<maxleasetime/>
<enable/>
</lan>
</dhcpd>
<pptpd>
<mode/>
<redir/>
<localip/>
<remoteip/>
</pptpd>
<dnsmasq>
<enable/>
</dnsmasq>
<snmpd>
<syslocation/>
<syscontact/>
<rocommunity>public</rocommunity>
</snmpd>
<diag>
<ipv6nat>
<ipaddr/>
</ipv6nat>
</diag>
<bridge>
<filteringbridge/>
</bridge>
<syslog/>
<nat>
<advancedoutbound>
<enable/>
<rule>
<source>
<network>192.168.0.0/24</network>
</source>
<descr>LAN to WAN hide rule</descr>
<target/>
<interface>wan</interface>
<destination>
<network>192.168.2.0/24</network>
<not/>
</destination>
</rule>
</advancedoutbound>
</nat>
<filter>
<rule>
<type>pass</type>
<descr>Default LAN -> any</descr>
<interface>lan</interface>
<source>
<network>lan</network>
</source>
<destination>
<any/>
</destination>
</rule>
<rule>
<type>pass</type>
<interface>wan</interface>
<protocol>tcp</protocol>
<source>
<address>192.168.2.0/24</address>
</source>
<destination>
<address>192.168.2.246</address>
</destination>
<descr/>
</rule>
<tcpidletimeout/>
</filter>
<shaper/>
<ipsec>
</ipsec>
<aliases/>
<proxyarp/>
<wol/>
<lastchange>1168986520</lastchange>
</m0n0wall>
HTH,
Neil.
In message <62C7F551 dash A699 dash 4769 dash BD89 dash 0DE0AFF06986 at seiden dot dk>, Piet Seiden
<piet at seiden dot dk> writes
>Thanks,
>it would be nice to have it documented. I'll get back to you if we
>succeed in the meantime.
>Regards,
>Piet
>
>On 16/01/2007, at 20.52, Neil A. Hillard wrote:
>
>> Piet,
>>
>> I'll dig a box out of the loft and see if I can find a
>>couple of
>> spare NICs to test. My current box has an onboard Intel (running
>>VLANs
>> to my switch) for LAN and some other OPT interfaces and two 3com
>>3c905s
>> for WAN and OPT1.
>>
>> I'll make a list of operations (assuming it works). I'll also
>>document
>> it for addition to the manual (in a couple weeks time, after my
>>previous
>> commitments).
>>
>> HTH,
>>
>>
>> Neil.
>>
>> In message <3233921E dash 008F dash 43F8 dash B837 dash 79261325A5FF at seiden dot dk>, Piet
>>Seiden
>> <piet at seiden dot dk> writes
>>> Neil,
>>> we just spend the afternoon trying this, running 1.22 on a PC with
>>> three Intel NIC's. We even went so far as to reset the box to default
>>> configuration, and then applying these rules, but to no avail. As we
>>> can access the DMZ from the Internet, it doesn't seem to be connected
>>> with the rules - and all we did was setting a rule allowing all
>>> traffic on the DMZ, just to make sure we hadn't bungled the rules.
>>> I will try to disable the filtering bridge tomorrow to see if this
>>> makes any difference and test if I can reach other hosts on this
>>> subnet.
>>> Regards,
>>> Piet
>>>
>>>
>>>
>>> On 16/01/2007, at 20.31, Neil A. Hillard wrote:
>>>
>>>> Piet,
>>>>
>>>> In message <116D8A8C dash E6B5 dash 4928 dash ADF0 dash A81592BC0834 at seiden dot dk>, Piet
>>>> Seiden
>>>> <piet at seiden dot dk> writes
>>>>> Together with a colleague I've been trying to set up a m0n0wall
>>>>> with a
>>>>> DMZ. We have a /24 public IP subnet that we would like to use for a
>>>>> couple of servers in the DMZ - either through bridging the WAN
>>>>>and
>>>>> the
>>>>> OPT1 interfaces or by using 1:1 NAT. We have managed to get it
>>>>> working
>>>>> using both these approaches, but so far we have been unable to
>>>>> access
>>>>> the DMZ servers from hosts on the LAN. We are aware that section
>>>>> 16.8
>>>>> in the FAQ mentions this problem with regard to bridging, but
>>>>>then a
>>>>> couple of notices here on this list by Neil Hillard have mentioned
>>>>> that this could be overcome by overriding the outbound NAT default
>>>>> settings. However, we have failed to make this work for us. Are
>>>>> there
>>>>> any suggestions as to what can be done to make this work?
>>>>
>>>> It's definitely possible. Mine has been working for probably
>>>>about 18
>>>> months now. I'm still using 1.22 and haven't tried this on any
>>>>later
>>>> versions.
>>>>
>>>> It should be a case of the following (assuming your LAN is
>>>> 192.168.0.0/24 and WAN is 1.2.3.0/24):
>>>>
>>>> 1. Set LAN and WAN addresses
>>>>
>>>> 2. Set OPT1 to be bridged with WAN
>>>>
>>>> 3. Enable 'advanced outbound NAT'.
>>>>
>>>> 4. Add the following NAT rule:
>>>>
>>>> Interface: WAN
>>>>
>>>> Source: 192.168.0.0/24
>>>>
>>>> Destination: NOT Network 1.2.3.0/24
>>>>
>>>> Description: LAN to WAN hide rule
>>>>
>>>> 5. Enable filtering bridge (if you want to)
>>>>
>>>>
>>>> The above rule should then NAT any traffic leaving your WAN
>>>>interface
>>>> that isn't destined to the address range that's on WAN / OPT1.
>>>>
>>>> Please let me know how you get on,
>>>>
>>>>
>>>> Neil.
>>>>
>>>> -- Neil A. Hillard E-Mail: m0n0 at dana dot org dot uk
>>>>
>>>> -------------------------------------------------------------------
>>>>- -
>>>> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>>>> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>>>
>>>
>>> _________________________________
>>> Piet Seiden
>>> Næstvedgade 6b, 3tv
>>> 2100 København Ø
>>> tlf. 3694 9833 mobil 2733 9981
>>>
>>>
>>>
>>
>> -- Neil A. Hillard E-Mail: m0n0 at dana dot org dot uk
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>
>
>_________________________________
>Piet Seiden
>Næstvedgade 6b, 3tv
>2100 København Ø
>tlf. 3694 9833 mobil 2733 9981
>
>
>
--
Neil A. Hillard E-Mail: m0n0 at dana dot org dot uk | 