[ previous ] [ next ] [ threads ]
 From:  "David Burgess" <apt dot get at gmail dot com>
 To:  "Monowall Support List" <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] DMZ (public IP) problem
 Date:  Wed, 29 Aug 2007 22:00:58 -0600
On 8/27/07, Android Andrew[:] <android at oberon dot pfi dot lt> wrote:
> Hello!
> My situation:
> I have router with several interfaces. There are two LANs with private
> IPs, two DMZ with public IPs in my network. Public IP is assigned to
> router's WAN interface.
> To disable address translation for DMZ I've checked "Enable advanced
> outbound NAT" box in "Outbound NAT" menu, and I entered my own NAT
> mappings for LANs.
> I've entered simple firewall rules for all interfaces (permit any
> protocol from any to any).
> Everything works fine for LANs with private IPs (DHCP, DNS, traffic
> shaping). But hosts on public IP in DMZ are not accessible from outside
> (and can't connect to anywhere outside).
> I can ping DMZ IPs from router, I can ping WAN IP from DMZ, I can ping
> any outside IP from WAN interface, but I can't ping anything outside
> from DMZ (or from DMZ interface of router)...
> I'm using 1.3b4 version of software, I've read a handbook on
> http://doc.m0n0.ch/handbook/nat-outbound.html , I've read m0n0 forums...
> 1. May be I've lost something else?
> 2. How can I diagnose this problem? (I can't use NAT1:1 solution)
> Thanx,
> Andrew.

If you're using public IPs in your DMZ then you don't need NAT at all.
You can either bridge one of your DMZ interfaces to the WAN (but not
both), or you can give your DMZ interfaces each its own subnet and
public IP address within said subnet. Either way, no NAT.

The former option is simple but, as noted, will only work to bridge a
pair of interfaces. No firewall rules to setup, no routing really.
Your DMZ machines act as if they are on the same network as mono's
WAN. If you enable mono's filtering bridge option you can then do
shaping and filtering on your bridged interface. One disadvantage to
this approach is that LAN clients cannot access hosts on the DMZ.

The latter option takes a little more effort to setup and maintain,
but gives you more control of firewalling between your two DMZs and
the other interfaces.

I recommend you seriously consider whether you need two separate DMZs
and perhaps just use a single DMZ bridged to WAN, and a switch on the
DMZ side to accommodate whatever you're connecting to it.