[ previous ] [ next ] [ threads ]
 
 From:  David Cook <david dot cook at jetpress dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  RE: [m0n0wall] IP aliases on external interface
 Date:  Thu, 19 Feb 2004 08:43:17 -0000
Jason,

I agree that this departs from the way you would configure a lot of other
firewalls to achieve the same result, however Manuel has done it this way
for current and future flexibility. Have a look at his previous post
explaining why,
http://m0n0.ch/wall/list/?action=show_msg&actionargs[]=32&actionargs[]=74.

I personally don't know of any other firewalls that allow complete subnet to
subnet NATing which you can achieve with 1:1 NAT. This makes life very easy
if you want a routed public subnet to be NATed to  private IP addresses on a
DMZ network. The public and private subnets just need to be of the same size
(same mask). 

You can also use some addresses with Inbound nat so different ports from the
same IP can be NATed to different internal hosts, at the same time as other
addresses with 1:1 nat so that all traffic on those IPs are NATed to the
same internal host. Internal hosts can be on the LAN or any other optional
interface.

If you want to use the public subnet addresses directly on the DMZ then just
enable Advanced Outbound NAT, don't Proxy ARP the subnet and m0n0wall will
route instead.

>-----Original Message-----
>From: Jason P Jones [mailto:jjones at integracon dot com]
>Sent: 19 February 2004 08:07
>To: 'David Cook'; m0n0wall at lists dot m0n0 dot ch
>Subject: RE: [m0n0wall] IP aliases on external interface
>
>
>Wouldn't this be a simple addition to the GUI for static IP 
>configuration? I
>would think that this is a fairly common scenario for firewall 
>users in the
>class that would look to M0n0wall.
>
>Jason P Jones
>MCSE+I,MCT,CCNA,LCP,CCA,CNA,CIWA,INET+,Network+,A+
>Integracon Technologies
>865.382.7400  
>
>-----Original Message-----
>From: David Cook [mailto:david dot cook at jetpress dot com] 
>Sent: Thursday, February 19, 2004 3:03 AM
>To: 'm0n0wall at lists dot m0n0 dot ch'
>Subject: RE: [m0n0wall] IP aliases on external interface
>
>
>Hi Jason,
>
>Yes this is supported. You need to use Proxy ARP so that 
>m0n0wall sends ARP
>replies on the WAN interface for IP addresses other than that 
>specified in
>the WAN configuration. This is in effect 'binding' the 
>multiple IPs to the
>WAN interface.
>
>Once additional IPs are configured in Proxy ARP then they can 
>be used for
>NAT, either Inbound, Server NAT, 1:1 or Outbound. If you want 
>to use Inbound
>NATing based on ports, don't forget that any IP address other than that
>specified in the WAN configuration needs to be configured in 
>Server NAT.
>
>Bridging is only really appropriate if you want to assign IP 
>addresses from
>the network on your WAN interface directly to hosts behind m0n0wall.
>
>
>>-----Original Message-----
>>From: Jason P Jones [mailto:jjones at integracon dot com]
>>Sent: 19 February 2004 07:44
>>To: m0n0wall at lists dot m0n0 dot ch
>>Subject: [m0n0wall] IP aliases on external interface
>>
>>
>>Are IP aliases (allowing multiple IP's bound to external
>>interface) planned
>>in the future. I know that you can bridge a DMZ interface- 
>but that's a
>>hack/kludge- not what I'm asking). I have several situations 
>>where 2-5 IP's
>>may be bound to external interfaces with ports being forwarded from
>>different external IP's to different internal hosts- EG.
>>X.X.X.5:80-->192.168.1.7:80 and X.X.X.5:80-->192.168.1.8:80 - 
>>etc. etc..
>>And this would open up a couple of new installs for m0n0wall 
>>in these cases
>>for these networks.
>>
>>Thanks!
>>
>>Jason P Jones
>>MCSE+I,MCT,CCNA,LCP,CCA,CNA,CIWA,INET+,Network+,A+
>>Integracon Technologies
>>865.382.7400
>>
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>
>>
>>_______________________________________________________________
>>_________
>>This e-mail has been scanned for all viruses by Star Internet. The
>>service is powered by MessageLabs. For more information on a proactive
>>anti-virus service working around the clock, around the globe, visit:
>>http://www.star.net.uk
>>_______________________________________________________________
>>_________
>>
>
>JET PRESS LIMITED
>Nunn Close
>Huthwaite
>Nottinghamshire
>NG17 2HW
>UK
>
>Web:	www.jetpress.com
>Tel:	+44-1623-551 800
>Fax: 	+44-1623-551 175
>
>
>Confidentiality Notice 
>This message and its contents are confidential.  The contents 
>are solely for
>the attention of the recipient(s) named above and any unauthorised
>disclosure, copying or distribution is forbidden.  If you are not the
>recipient named above, please contact the sender immediately 
>and destroy
>this message.  The views expressed in this message are those 
>of the sender
>and not necessarily those of JET PRESS LIMITED.
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>
>_______________________________________________________________
>_________
>This e-mail has been scanned for all viruses by Star Internet. The
>service is powered by MessageLabs. For more information on a proactive
>anti-virus service working around the clock, around the globe, visit:
>http://www.star.net.uk
>_______________________________________________________________
>_________
>

JET PRESS LIMITED
Nunn Close
Huthwaite
Nottinghamshire
NG17 2HW
UK

Web:	www.jetpress.com
Tel:	+44-1623-551 800
Fax: 	+44-1623-551 175


Confidentiality Notice 
This message and its contents are confidential.  The contents are solely for the attention of the
recipient(s) named above and any unauthorised disclosure, copying or distribution is forbidden.  If
you are not the recipient named above, please contact the sender immediately and destroy this
message.  The views expressed in this message are those of the sender and not necessarily those of
JET PRESS LIMITED.