[ previous ] [ next ] [ threads ]
 From:  Juergen Moellenhoff <jm at oic dot de>
 To:  Christiaens Joachim <jchristi at oce dot be>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] How to configure MonoWall for public IPs on LAN/DMZ?
 Date:  Thu, 25 Mar 2004 18:15:07 +0100

so this means I could use the /25 LAN-Net with the /28 DMZ-Net when I 
use the filtering bridge (between LAN/DMZ)? The settings for the LAN 
would be the same (see below) and for the DMZ I could use

Net:      xxx.xxx.240.112
Netmask: or /28
Range:	  xxx.xxx.240.113 - xxx.xxx.240.126
DMZ-IP:   xxx.xxx.240.113

And this way I can reach the systems in the DMZ from the WAN and the 
opposite way? Hmmm... the filtering bridge is open per default which 
means no rules that block traffic, right?

Is another option to use private IPs just for the DMZ? And then I must 
forward certain public IPs from the WAN (but of course from the public 
IP-Range of the LAN) to the private IPs in the DMZ? Is this an option 
that could work?

Btw. thank's for the quick answer!



Christiaens Joachim wrote:
>>-----Original Message-----
>>From: Juergen Moellenhoff [mailto:jm at oic dot de]
>>Sent: donderdag 25 maart 2004 17:03
>>To: m0n0wall at lists dot m0n0 dot ch
>>Subject: [m0n0wall] How to configure MonoWall for public IPs 
>>on LAN/DMZ?
>>I searched the mailing list and saw that it's possible to 
>>turn off the 
>>NAT-Feature of MonoWall so that I can use public IPs on the LAN/DMZ 
>>interface (with Smoothwall or IPCop I can't do this) and now 
>>I just try 
>>to figure out how to configure everything correctly (I'm a 
>>network noob :)).
>>My net/configuration for MonoWall looks like this:
>>Net:      xxx.xxx.240.0
>>Netmask: or /25
>>Range:    xxx.xxx.240.1 to xxx.xxx.240.126
>>LAN-IP    xxx.xxx.240.1
>>Net:      xxx.xxx.233.8
>>Netmask: or /30
>>Gateway:  xxx.xxx.233.9
>>WAN-IP:   xxx.xxx.233.10
>>I thought to cut some IPs from the LAN-Net for the DMZ for 
>>example the 
>>range from xxx.xxx.240.113 to xxx.xxx.240.126 (Net xxx.xxx.240.112, 
>>Netmask or /28) but I don't know if this really works 
>>because the LAN has still the range from 1 to 126 through the 
>>/25 mask 
>>and when I use a /26 mask the range is to small, is there another 
>>solution or is it not a problem at all?
>>For the "rest" I just have to turn on "Enable advanced 
>>outbound NAT" so 
>>that MonoWall uses no NAT, right? And then I can add rules to 
>>traffic for LAN/DMZ/WAN?
>>Is this in short the way I can configure MonoWall for public IPs on 
>>LAN/DMZ or is there something I missed? I'm open for any suggestions 
>>especially for the DMZ part .
>>   Jürgen
> Hi Jürgen,
> your conclusions seem correct.
> You will have problems with overlapping subnets, as the hosts in the /25
> subnet will 'think' the hosts in the overlapping /28 subnet are connected
> locally, and thus not use the default gateway.
> Another approach would be to bridge the DMZ with the LAN interface. When you
> enable the filtering bridge, you could do firewalling between DMZ, LAN and
> WAN, AND not be dependant on subnets to divide your public subnet between
> your DMZ and your LAN.
> Hope this helps,
> Joachim