so this means I could use the /25 LAN-Net with the /28 DMZ-Net when I
use the filtering bridge (between LAN/DMZ)? The settings for the LAN
would be the same (see below) and for the DMZ I could use
Netmask: 255.255.255.240 or /28
Range: xxx.xxx.240.113 - xxx.xxx.240.126
And this way I can reach the systems in the DMZ from the WAN and the
opposite way? Hmmm... the filtering bridge is open per default which
means no rules that block traffic, right?
Is another option to use private IPs just for the DMZ? And then I must
forward certain public IPs from the WAN (but of course from the public
IP-Range of the LAN) to the private IPs in the DMZ? Is this an option
that could work?
Btw. thank's for the quick answer!
Christiaens Joachim wrote:
>>From: Juergen Moellenhoff [mailto:jm at oic dot de]
>>Sent: donderdag 25 maart 2004 17:03
>>To: m0n0wall at lists dot m0n0 dot ch
>>Subject: [m0n0wall] How to configure MonoWall for public IPs
>>I searched the mailing list and saw that it's possible to
>>turn off the
>>NAT-Feature of MonoWall so that I can use public IPs on the LAN/DMZ
>>interface (with Smoothwall or IPCop I can't do this) and now
>>I just try
>>to figure out how to configure everything correctly (I'm a
>>network noob :)).
>>My net/configuration for MonoWall looks like this:
>>Netmask: 255.255.255.128 or /25
>>Range: xxx.xxx.240.1 to xxx.xxx.240.126
>>Netmask: 255.255.255.252 or /30
>>I thought to cut some IPs from the LAN-Net for the DMZ for
>>range from xxx.xxx.240.113 to xxx.xxx.240.126 (Net xxx.xxx.240.112,
>>Netmask 255.255.255.240 or /28) but I don't know if this really works
>>because the LAN has still the range from 1 to 126 through the
>>and when I use a /26 mask the range is to small, is there another
>>solution or is it not a problem at all?
>>For the "rest" I just have to turn on "Enable advanced
>>outbound NAT" so
>>that MonoWall uses no NAT, right? And then I can add rules to
>>traffic for LAN/DMZ/WAN?
>>Is this in short the way I can configure MonoWall for public IPs on
>>LAN/DMZ or is there something I missed? I'm open for any suggestions
>>especially for the DMZ part .
> your conclusions seem correct.
> You will have problems with overlapping subnets, as the hosts in the /25
> subnet will 'think' the hosts in the overlapping /28 subnet are connected
> locally, and thus not use the default gateway.
> Another approach would be to bridge the DMZ with the LAN interface. When you
> enable the filtering bridge, you could do firewalling between DMZ, LAN and
> WAN, AND not be dependant on subnets to divide your public subnet between
> your DMZ and your LAN.
> Hope this helps,