Thanks very much for your time on this. I have a few additional questions,
assuming you've got more patience.
On 12/6/07, Neil A. Hillard <m0n0 at dana dot org dot uk> wrote:
> In message
> <ae0fb5cd0712061423s63ad20acr1145b26bb21eca99 at mail dot gmail dot com>,
> F. Dudley Jr. <wfdudley at gmail dot com> writes
> >Here's the setup I have with my current LRP firewall/router:
> >static IP /28 block from my ISP (also, conveniently, my employer)
> >Pipeline 130 T1 interface is sss.sss.sss.17
> >WAN side of my LRP box: sss.sss.sss.18
> >LAN side of my LRP box: 192.168.1.0/24, router/gateway is 192.168.1.254
> >The 192 lan is where the Windows machines that my wife uses are quarantined.
> >The Third port of my LRP box is for the routable IPs: sss.sss.sss.18.
> >Attached are machines (a mix of Linux and FreeBSD) responding to
> >sss.sss.sss.19-30 (31 is broadcast, obviously).
> >So the first questions are:
> >1. What should I set the address of the WAN port on the m0n0wall to:
> >I'd expect it to be: sss.sss.sss.18 / 28? 32?
> >I have the gateway set to sss.sss.sss.17, the Pipeline 130.
> Correct: WAN = sss.sss.sss.18 / 28, gateway = sss.sss.sss.17
> >2. What should I set the address of the ROUTABLE port m0n0wall to:
> >I'd expect, based on the LRP box, to set it to sss.sss.sss.18/28.
> I'm not entirely sure what the 'routable port' is. Do you mean the
> third interface? If so, set it to bridged to WAN - it won't have an IP
Yes, the third interface to the machines with routable IPs, what some call
the DMZ though I'm not sure that's really correct here.
> >3. Will I have to reboot all the machines on the inside so they
> >work when I switch firewalls, or can I just configure this and drop
> >it in?
> As you are swapping machines with the same IP address then you'll need
> to clear the ARP caches on the client machines or wait for them to
> expire. You will also need to clear the ARP cache on your T1 router,
> otherwise it will be attempting to talk to the LRP box which is no
> longer there.
> >4. If I ping the WAN address from the outside world, should I expect to
> >get a response?
> No. By default all access from WAN is dropped.
Is there any way to turn on icmp response from the WAN port? Or is that
really a bad idea? I like to be able to verify the link to the router, is all.
> >5. Do I need to set any static routes? I'm guessing not.
> >6. What are minimum rules that I need to put in the firewall ruleset to get
> >some traffic through? I've added some, but obviously have no idea what
> >I'm doing or I wouldn't be writing this. Once I have something basic
> >running, I'm confident I can add a rule to open a port for, say, ssh
> >to a particular machine on my "routable IP" segment.
> The default rule will allow all access from LAN so you should be able
> access the Internet from a machine on your LAN.
> >7. What NAT settings should I be using? I've chosen:
> >"Enable advanced outbound NAT" and then added a "rule" that says:
> >Interface=WAN, Source=192.168.1.0/24, Dest=*, Target=*
> OK. That would be the default if you'd have left advanced NAT disabled.
> What you'll need (so you can access the devices on your DMZ) is:
> Interface: WAN
> Source: 192.168.1.0/24
> Destination: NOT Network sss.sss.sss.16/28
> and leave all other options alone (but feel free to enter a
So do I need this rule in *addition* to the one I had:
Interface=WAN, Source=192.168.1.0/24, Dest=*, Target=*
Or does your rule replace it? And do I want advanced NAT enabled or
disabled? The docs suggested to me that I did want it, because (I think)
my gateway address is inside of my block of IPs, and not separate.
> >8. What Proxy ARP settings should I be using? I have no idea here,
> >after reading Proxy ARP stuff on the m0n0wall site and also other places
> >online. LRP just had "on/off" as a choice, so I'm mystified here.
> >(And please tell me exactly what to put on the form, as I've not
> >been able to match up what people write in the m0n0wall mailing list
> >archives with the actual values that one would put in the web form.)
> None. You shouldn't need any.
> You will probably want to tick 'Enable filtering bridge' under System |
> Advanced. You will then need to add relevant rules to m0n0wall to allow
> access to / from the devices in your DMZ.
> I have this type of configuration (albeit with a /29) and it works a
I'm trying it out now, even as I write this.
> Neil A. Hillard E-Mail: m0n0 at dana dot org dot uk