[ previous ] [ next ] [ threads ]
 From:  "Michael A. Alderete" <lists dash 2003 at alderete dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Questions Using Proxy ARP for DMZ
 Date:  Sun, 8 Feb 2004 00:27:13 -0800
OK, I've read a bit about how Proxy ARP works, including these articles:


I (think I) understand the general theory of Proxy ARP, but I am not able
to translate it into actions that make sense for my network or the m0n0wall

I have the following network configuration from my ISP (Speakeasy):

  Gateway:        xxx.yyy.189.1
  Allocated IPs:  xxx.yyy.189.2 ... xxx.yyy.189.5 (for my hardware)

Here's my desired network setup:

 +---------+	|                     Static IP
 | server1 +----|  DMZ(OPT1)      WAN xxx.yyy.189.5 / 24
 +---------+	|     +----------+    xxx.yyy.189.1 gateway
		|-----+ m0n0wall +-----\
 +---------+	|     +----------+      \------> DSL modem and Internet
 | server2 +----|          | LAN
 +---------+	|          | / 24
		|          |

The WAN interface is a Static IP config, xxx.yyy.189.5 / 24, with Gateway
xxx.yyy.189.1. The LAN interface set up as / 24. This works
great for my desktops to surf, e-mail, etc.

One of my IP addresses is used for m0n0wall; I would like to use the others
for servers on the DMZ.

I have five questions that are my stumbling block on getting from the
general concept of Proxy ARP to my specific m0n0wall configuration:

1. Do I need to change my WAN interface to a different IP, or make other
changes to the WAN interface?

2. What are the correct settings to enter into the Proxy ARP panel of the
m0n0wall webGUI to set it up for my DMZ configuration?

  Network:     ????
  CIDR subnet: ????

3. What are the IP addresses that will be left for use in the DMZ?

4. What are the subnet and gateway settings to use for the servers in the DMZ?

5. What else do I need to do in the m0n0wall webGUI to allow packets from
the Internet to go back and forth to/from a specific server in the DMZ? Do
I need to add firewall rules, or NAT settings, or anything else? (For now
it's OK if the DMZ systems aren't protected, I'll pester the list with
firewall questions once I've moved my servers. ;-)

It seems like this should be simple, but...there's just some element I must
not have grokked, and it's keeping me from the truth...



Michael A. Alderete           <mailto:lists dash 2003 at alderete dot com>