[ previous ] [ next ] [ threads ]
 
 From:  Bart Smit <bit at pipe dot nl>
 To:  "Michael A. Alderete" <lists dash 2003 at alderete dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Questions Using Proxy ARP for DMZ
 Date:  Sun, 08 Feb 2004 18:16:37 +0100
Michael A. Alderete wrote:

> Here's my desired network setup:
> 
>  +---------+	|                     Static IP
>  | server1 +--|  DMZ(OPT1)      WAN xxx.yyy.189.5 / 24
>  +---------+	|     +----------+    xxx.yyy.189.1 gateway
> 		|-----+ m0n0wall +-----\
>  +---------+	|     +----------+      \------> DSL modem and Internet
>  | server2 +--|          | LAN
>  +---------+	|          | 192.168.1.1 / 24
> 		|          |

Maybe it doesn't help you much, but I have been told that the filtering 
bridge is a dead end because the LAN will not be able to talk to the
DMZ (as you found out), and your approach with proxy ARP is not really
catered for by m0n0wall.

I had exactly the same requirement, and I have solved it as follows
(tranlated to your situation):

  +---------+  |                      Static IP
  | server1 +--|  DMZ             WAN xxx.yyy.189.5 / 24
  +---------+  |     +-----------+    xxx.yyy.189.1 gateway
               |-----+ m0n0wall1 +-----\
  +---------+  |     +-----------+      \------> DSL modem and Internet
  | server2 +--|          | LAN
  +---------+  |          | (really only needed for talking to m0n0wall1)
               |          |
         +-----------+
         | m0n0wall2 |
         +-----------+
               | LAN
               | 192.168.1.1 / 24
               |

Here, m0n0wall1 is a filtering bridge. Actually this is quite nice since
now you have *one* place where you can put rules on all traffic between
both LAN and DNZ on one end, and the outside net on the other. This, a
single m0n0wall cannot do. Having to shell out an extra 200 pop for a 
Soekris was minor compared to the headaches this had already cost me.

--Bart