[ previous ] [ next ] [ threads ]
 From:  "m.ismael" <m dot ismael at gmail dot com>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] Theoretical Topology
 Date:  Mon, 22 Feb 2010 08:22:46 +0200
Adam Piasecki wrote:

> Vincent R Ragosta wrote:

>> Okay, so I know enough about networking to shoot myself in the foot.

>> So, before pulling the trigger, I wanted to run this by more

>> knowledgeable individuals than I.


>> I'm trying to secure my small business's network more than it currently

>> is.  Right now, I simply have a Cisco 871 that is using NAT to service

>> the entire LAN.  But, we have been allocated a x.x.x.x/29 network, so I

>> have a couple of static IP addresses to work with.  As a result, I was

>> wondering if it would be possible to have a topology similar to this:


>>                            (bridged)          (Inbound NAT)

>> T1-->Cisco 871 (IP filter)---------->MonoWall--------------->LAN

>>                                         |

>>                                         | (1:1 NAT)

>>                                         |

>>                                        DMZ


>> So, essentially I want to use the Cisco 871 as a simple IP filter and

>> have 3 interfaces on the MonoWall firewall.  One interface would be

>> bridged to the Cisco, one interface would be servicing the LAN using

>> inbound NAT, and the last interface would be hosting public servers

>> using 1:1 NAT.  Is this configuration possible?  Is it possible to

>> allocate one public IP address to service the LAN and several different

>> public IP addresses to handle the DMZ?  If this is possible, how (at a

>> very high level)?  Would I need to further subnet my public IP address

>> allocation across the LAN and DMZ interfaces?



I have a setup like this. I have /29 subnet and my connection is made via

So I configured my modem as LLC bridge with VPI VCI values,

Then I had m0n0wall like this 

WAN : pppoe 

LAN : Captive portal

DMZ : holds the public IPs  and act as gateway for the /29 subnet 

Which I connect a web server holds domain name.

In m0n0wall 1:1 NAT I added the subnet /29 in the external and internal on
wan interface, this disabled NAT for that subnet.

After that I needed to do NAT on one of the public IPs to publish a service
on a device connected to LAN interface, 

So I changed 1:1 NAT and only disabled NAT for the web server IP that made
the 1:1 rule looks like this

Interface         external IP       internal IP

WAN               196.xx.xx.xx/32   196.xx.xx.xx/32


And in the same time I could use another IP of the /29 subnet in server NAT

And do all my special NAT on it.


Best Regards.

Mohammed Ismail


Note: sorry Neil for the wrong replay to your address, I always miss it up.