[ previous ] [ next ] [ threads ]
 From:  Christiaens Joachim <jchristi at oce dot be>
 To:  "'Juergen Moellenhoff'" <jm at oic dot de>, m0n0wall at lists dot m0n0 dot ch
 Subject:  RE: [m0n0wall] How to configure MonoWall for public IPs on LAN/DM Z?
 Date:  Thu, 25 Mar 2004 17:18:49 +0100
> -----Original Message-----
> From: Juergen Moellenhoff [mailto:jm at oic dot de]
> Sent: donderdag 25 maart 2004 17:03
> To: m0n0wall at lists dot m0n0 dot ch
> Subject: [m0n0wall] How to configure MonoWall for public IPs 
> on LAN/DMZ?
> Hi,
> I searched the mailing list and saw that it's possible to 
> turn off the 
> NAT-Feature of MonoWall so that I can use public IPs on the LAN/DMZ 
> interface (with Smoothwall or IPCop I can't do this) and now 
> I just try 
> to figure out how to configure everything correctly (I'm a 
> network noob :)).
> My net/configuration for MonoWall looks like this:
> LAN:
> Net:      xxx.xxx.240.0
> Netmask: or /25
> Range:    xxx.xxx.240.1 to xxx.xxx.240.126
> LAN-IP    xxx.xxx.240.1
> WAN:
> Net:      xxx.xxx.233.8
> Netmask: or /30
> Gateway:  xxx.xxx.233.9
> WAN-IP:   xxx.xxx.233.10
> I thought to cut some IPs from the LAN-Net for the DMZ for 
> example the 
> range from xxx.xxx.240.113 to xxx.xxx.240.126 (Net xxx.xxx.240.112, 
> Netmask or /28) but I don't know if this really works 
> because the LAN has still the range from 1 to 126 through the 
> /25 mask 
> and when I use a /26 mask the range is to small, is there another 
> solution or is it not a problem at all?
> For the "rest" I just have to turn on "Enable advanced 
> outbound NAT" so 
> that MonoWall uses no NAT, right? And then I can add rules to 
> Block/Pass 
> traffic for LAN/DMZ/WAN?
> Is this in short the way I can configure MonoWall for public IPs on 
> LAN/DMZ or is there something I missed? I'm open for any suggestions 
> especially for the DMZ part .
> Bye,
>    Jürgen

Hi Jürgen,

your conclusions seem correct.

You will have problems with overlapping subnets, as the hosts in the /25
subnet will 'think' the hosts in the overlapping /28 subnet are connected
locally, and thus not use the default gateway.

Another approach would be to bridge the DMZ with the LAN interface. When you
enable the filtering bridge, you could do firewalling between DMZ, LAN and
WAN, AND not be dependant on subnets to divide your public subnet between
your DMZ and your LAN.

Hope this helps,

Océ enables its customers to manage their documents efficiently and
effectively by offering innovative print and document management products
and services for professional environments.

This e-mail message and any attachment are intended for the sole use of the
recipient(s) named above and may contain information which is confidential
and/or protected by intellectual property rights.
Any use of the information contained herein (including, but not limited to,
total or partial reproduction, communication or distribution in any form) by
other persons than the designated recipient(s) is prohibited.

If you have received this e-mail in error, please notify the sender either
by telephone (0032-2-729.48.11) or by e-mail and delete the material from
any computer.
Oce-Belgium/Oce-Interservices is nor responsible for the correct and
complete transfer of the contents of the sent e-mail, neither for the
receipt on due time.  This e-mail message does not bring about a contractual
obligation for Oce-Belgium/Oce-Interservices.

Thank you for your cooperation.

For further information about Oce-Belgium/Oce-Interservices please see our
website at www.oce.be