[ previous ] [ next ] [ threads ]
 From:  Harlan Stenn <harlan at everett dot org>
 To:  m0n0wall at lists dot m0n0 dot ch
 Cc:  harlan at everett dot org
 Subject:  LAN IP alias, 2 WAN IPs?
 Date:  Fri, 27 Apr 2007 17:11:45 -0700
I've been reading the docs, including the faq-ipalias page and some
postings on the mailing list.

I am trying to set up a m0n0wall firewall at a site that is currently
using one of their FreeBSD production boxes as a combo server/firewall,
with 2 IPs on the WAN.

I want to have a physically separate firewall, and I'd rather have a
cdrom/flash firewall on something like a soekris machine than set up a
"bigger" machine and just do it all with a normal (FreeBSD) OS.

I also want it to be pretty easy to switch between the new and old
firewall setups.

The new (m0n0wall) firewall has a dedicated IP for its LAN IP, with a
normal netmask.

The old machine has a dedicated IP for its LAN IP (with a normal
netmask) and it currently uses an IP alias (on a /32) for the default
route to the internet.

My thought is to have the DSL modem connect to a small switch/hub, which
then connects to the WAN interface on each of "the old firewall/gateway"
and "the new m0n0wall firewall/gateway".

As the "old" machine has 2 interfaces, when I want to use it as the
firewall/gateway box I:

 ifconfig WAN up
 ifconfig LAN inet def.ault.rte/32 alias

and when I want to disable the firewall/gateway on the old box I:

 ifconfig WAN down
 ifconfig LAN inet def.ault.rte/32 -alias

So far so good.

I figure to make it easy on these folks to enable/disable using the
m0n0wall box as their firewall/gateway I can simply get 2 configs going,
one for "enabled" and the other for "disabled", and they "restore" the
appropriate configuration using the dedicated LAN IP on the m0n0wall box.

I am currently having 2 problems:

First problem: how to enable/disable the def.ault.rte address on the
m0n0wall LAN interface while keeping the "normal" LAN IP address on the box?

I have not found a way to get the m0n0wall box to easily answer on the
def.ault.rte/32 address on its LAN interface.

I would rather not have to install a 3rd NIC in the box, as that gives
me more points of failure.

I would rather not have to choose/switch between using either the
assigned LAN IP and the def.ault.rte IP for the LAN address.

What's a good way to handle this?

Second problem: They have 2 WAN IPs.  For one of them, I just want to
send SSH traffic to LAN machine A.  I currently am using this IP as the
assigned IP on the WAN interface.  While the other IP currently handles
SSH, email, and web all on the (current) server, I'd like to be able to
split each "service" to a different machine.  When I configured this the
other day I was able to SSH to the WAN IP and I was connected to the
correct box.  I (thought I) set the NAT rules up correctly, but I'm not
able to connect to the other WAN IP (from outside) and I see nothing in
the logs.