[ previous ] [ next ] [ threads ]
 From:  "Neil A. Hillard" <m0n0 at dana dot org dot uk>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Theoretical Topology
 Date:  Sun, 21 Feb 2010 19:58:03 -0500
Adam Piasecki wrote:
> Vincent R Ragosta wrote:
>> Okay, so I know enough about networking to shoot myself in the foot.
>> So, before pulling the trigger, I wanted to run this by more
>> knowledgeable individuals than I.
>> I'm trying to secure my small business's network more than it currently
>> is.  Right now, I simply have a Cisco 871 that is using NAT to service
>> the entire LAN.  But, we have been allocated a x.x.x.x/29 network, so I
>> have a couple of static IP addresses to work with.  As a result, I was
>> wondering if it would be possible to have a topology similar to this:
>>                            (bridged)          (Inbound NAT)
>> T1-->Cisco 871 (IP filter)---------->MonoWall--------------->LAN
>>                                         |
>>                                         | (1:1 NAT)
>>                                         |
>>                                        DMZ
>> So, essentially I want to use the Cisco 871 as a simple IP filter and
>> have 3 interfaces on the MonoWall firewall.  One interface would be
>> bridged to the Cisco, one interface would be servicing the LAN using
>> inbound NAT, and the last interface would be hosting public servers
>> using 1:1 NAT.  Is this configuration possible?  Is it possible to
>> allocate one public IP address to service the LAN and several different
>> public IP addresses to handle the DMZ?  If this is possible, how (at a
>> very high level)?  Would I need to further subnet my public IP address
>> allocation across the LAN and DMZ interfaces?
>> Forgive me if I said something stupid...Just trying my best to get this
>> setup a bit better.  Thanks!
>> Vincent
> No need to subnet the public further, you'll assign one IP to the WAN 
> interface, and then the additional IP's will be virtual IPs in monowall 
> that will do 1:1 NAT..  At least that how it works in pfsense.(based on 
> m0n0wall)
> Your LAN will use the WAN ip for NAT.

I have a similar setup.  I have a Cisco 837 essentially acting as a 
bridge, with the same IP address on the ADSL and Ethernet interfaces.

I then have m0n0wall with three NICs.  OPT1 is bridged to WAN which 
means that there's no need to use DNS overrides for LAN machines 
accessing services on OPT1 (you need to configure advanced NAT and 
ensure that traffic from LAN to OPT1 isn't NATed).  This setup also 
plays well with SIP.

This setup works well except that I discovered (this is certainly true 
for m0n0wall 1.2 - not tried it on 1.3) that you must use physical 
interfaces for the two interfaces that are bridged - VLAN tagged 
interfaces can't be bridged.