[ previous ] [ next ] [ threads ]
 From:  "Michael A. Alderete" <lists dash 2003 at alderete dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Questions Using Proxy ARP for DMZ
 Date:  Sun, 8 Feb 2004 17:43:38 -0800
At 12:43 PM +0100 2/8/04, Manuel Kasper wrote:
>> Exactly. Uh, although I don't see how having a real subnet would change
>> configuring m0n0wall...
>If you have your own real routed subnet, that also means you get a WAN
>IP address that is *not* inside that subnet. Basically, you can then
>just assign that subnet (of public IP addresses) to your DMZ interface
>(one IP address out of that subnet becomes m0n0wall's DMZ interface IP
>address) and turn off NAT for the DMZ.

<snip> (Wait, how do you turn NAT off for the DMZ, without
        turning it off for the LAN?)

>> The ARP Proxy tells external systems to send packets for proxied systems to
>> the firewall (m0n0), which then figures out where to send them internally,
>> via some clever routing mechanisms. It sounded really cool, and fairly
>> straightforward (though the articles are written about Linux).
>Yes. Let's say m0n0wall has received a packet for xxx.yyy.189.2. It
>knows it's not for itself, but then again strictly speaking the
>destination host for that packet would have to be on the WAN interface,
>because that's where the xxx.yyy.189.0/24 subnet is. OK, if your range
>of addresses was bigger, you could assign some subnet that fits in your
>range to the DMZ interface and live without 1:1 NAT or bridging (this
>works because BSD always uses the most specific route if there are
>multiple possibilities). That would be ugly though, and in your case the
>range is too small anyway.

OK, so from this and what you and Pete discussed (below), it sounds like if
I were to be able to change the IP allocation I get from my ISP, then I
could do it the way I thought it would work (as described in this article,

So, what are the changes I need to request from my ISP? I can ask them for
up to 8 IP addresses, and they can make them contiguous. Do I need to ask
for some kind of specific alignment or starting address?

I guess what I'm asking is, what are the minimum number of changes I need
to make to the following configuration to make it work without doing 1:1
NAT (and without buying another Soekris, as suggested in another post; if
it's possible to do for free, I'd rather do that):

  Subnet: (note I only get a portion of this)
  Gateway:        xxx.yyy.189.1
  Allocated IPs:  xxx.yyy.189.2 ... xxx.yyy.189.5 (for my hardware)

Here's my desired network setup:

 +---------+	|                     Static IP
 | server1 +----|  DMZ(OPT1)      WAN xxx.yyy.189.5 / 24
 +---------+	|     +----------+    xxx.yyy.189.1 gateway
		|-----+ m0n0wall +-----\
 +---------+	|     +----------+      \------> DSL modem and Internet
 | server2 +----|          | LAN
 +---------+	|          | / 24
		|          |

Manuel, you wrote that this approach is "ugly", I would be curious to
understand why. It seems to me to take elegant advantage of the behavior of
BSD using the most specific routing, while avoiding some potentially
troublesome issues with using NAT to provide access to servers.

Thank you for your help with this!

(And, if you want to tell me which book to read for answers and thorough
understanding of this topic, I would gladly go off to Amazon.com and buy it
tonight! Does m0n0wall have an Amazon.com Associates account? From the
questions on this list, including mine, seems like you could make some nice
referral fees... ;-)


>On Sun, Feb 08, 2004 at 02:55:58PM +0100, Manuel Kasper wrote:
>> Peter Allgeyer wrote:
>> >Not really. Routing is the point. But as NAT seems to be performed before
>> I think that's what I was trying to say, but you can't really do it in a
>> clean way with a public IP range of xxx.yyy.189.2 - xxx.yyy.189.4 and
>> without losing any of them, can you? Maybe I'm missing something here.
>No, you don't miss anything. But it is routing, not NAT, responsible
>for choosing interfaces to put packets out. If you say, that it is NAT,
>than it is only 1/2 of the truth.
>As stated above, on a transfer net you will loose:
>1) network ip
>2) broadcast ip
>3) firewall ip
>4) router ip
>No other way (if you don't have a small transfer net or choose to bridge
>instead of routing). It's possible to split your /24 net into a small
>transfer net (of about /29 or so) and route the rest to your DMZ, but
>then you will loose more IP addresses than using NAT and proxy arp.


Michael A. Alderete           <mailto:lists dash 2003 at alderete dot com>