Adam Piasecki wrote:
> Vincent R Ragosta wrote:
>> Okay, so I know enough about networking to shoot myself in the foot.
>> So, before pulling the trigger, I wanted to run this by more
>> knowledgeable individuals than I.
>> I'm trying to secure my small business's network more than it currently
>> is. Right now, I simply have a Cisco 871 that is using NAT to service
>> the entire LAN. But, we have been allocated a x.x.x.x/29 network, so I
>> have a couple of static IP addresses to work with. As a result, I was
>> wondering if it would be possible to have a topology similar to this:
>> (bridged) (Inbound NAT)
>> T1-->Cisco 871 (IP filter)---------->MonoWall--------------->LAN
>> | (1:1 NAT)
>> So, essentially I want to use the Cisco 871 as a simple IP filter and
>> have 3 interfaces on the MonoWall firewall. One interface would be
>> bridged to the Cisco, one interface would be servicing the LAN using
>> inbound NAT, and the last interface would be hosting public servers
>> using 1:1 NAT. Is this configuration possible? Is it possible to
>> allocate one public IP address to service the LAN and several different
>> public IP addresses to handle the DMZ? If this is possible, how (at a
>> very high level)? Would I need to further subnet my public IP address
>> allocation across the LAN and DMZ interfaces?
>> Forgive me if I said something stupid...Just trying my best to get this
>> setup a bit better. Thanks!
> No need to subnet the public further, you'll assign one IP to the WAN
> interface, and then the additional IP's will be virtual IPs in monowall
> that will do 1:1 NAT.. At least that how it works in pfsense.(based on
> Your LAN will use the WAN ip for NAT.
I have a similar setup. I have a Cisco 837 essentially acting as a
bridge, with the same IP address on the ADSL and Ethernet interfaces.
I then have m0n0wall with three NICs. OPT1 is bridged to WAN which
means that there's no need to use DNS overrides for LAN machines
accessing services on OPT1 (you need to configure advanced NAT and
ensure that traffic from LAN to OPT1 isn't NATed). This setup also
plays well with SIP.
This setup works well except that I discovered (this is certainly true
for m0n0wall 1.2 - not tried it on 1.3) that you must use physical
interfaces for the two interfaces that are bridged - VLAN tagged
interfaces can't be bridged.