[ previous ] [ next ] [ threads ]
 From:  Manuel Kasper <mk at neon1 dot net>
 To:  "Michael A. Alderete" <lists dash 2003 at alderete dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Questions Using Proxy ARP for DMZ
 Date:  Sun, 08 Feb 2004 10:58:59 +0100
Michael A. Alderete wrote:

> I have five questions that are my stumbling block on getting from the
> general concept of Proxy ARP to my specific m0n0wall configuration:
> 1. Do I need to change my WAN interface to a different IP, or make other
> changes to the WAN interface?


> 2. What are the correct settings to enter into the Proxy ARP panel of the
> m0n0wall webGUI to set it up for my DMZ configuration?
>   Network:     ????
>   CIDR subnet: ????

OK, so you have IPs xxx.yyy.189.2 - xxx.yyy.189.5. The last one is being
used by m0n0wall itself, so no need to proxy ARP for that. Since what
you have is not really a subnet (if it was, then you'd probably get it
routed to you and not need proxy ARP) but a range of IP addresses that
doesn't lie on a subnet boundary, I'd just create three proxy ARP
entries for xxx.yyy.189.2 to xxx.yyy.189.4 (/32 each). What this does is
making m0n0wall reply to ARP queries for these three IP addresses on the
WAN interface with its own MAC address, causing packets to these
addresses to be sent to m0n0wall (which then knows what to do with them).

> 3. What are the IP addresses that will be left for use in the DMZ?

Assuming you're going to use 1:1 (or Server) NAT, you use some private
subnet in your DMZ, like

> 4. What are the subnet and gateway settings to use for the servers in the DMZ?

See above. Gateway = m0n0wall's DMZ interface IP address.

> 5. What else do I need to do in the m0n0wall webGUI to allow packets from
> the Internet to go back and forth to/from a specific server in the DMZ? Do
> I need to add firewall rules, or NAT settings, or anything else? (For now
> it's OK if the DMZ systems aren't protected, I'll pester the list with
> firewall questions once I've moved my servers. ;-)

Add 1:1 NAT rules to map each of your external IP addresses to the
corresponding (private) DMZ IP address. Add filter rules that pass
traffic on WAN from any to [private DMZ IP address of your server] on
the desired port(s). Remember that the filter will see the packets after
NATing, so you have to use the private IP addresses for the destination
(on inbound packets).

Now if you were going to use filtered bridging, it's another story - in
that case, you don't need Proxy ARP at all because the ARP replies from
your DMZ servers would be bridged too (Bruce, is that correct?).