[ previous ] [ next ] [ threads ]
 
 From:  Christiaens Joachim <jchristi at oce dot be>
 To:  "'Juergen Moellenhoff'" <jm at oic dot de>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  RE: [m0n0wall] How to configure MonoWall for public IPs on LAN/DM Z?
 Date:  Fri, 26 Mar 2004 12:04:25 +0100
Well, I guess I wasn't clear enough, which happens to me frequently :)

If you use bridging, you won't need to assign any ip-address or subnet to
the DMZ interface, it just acts as a switch. With filtering bridge enabled,
it blocks all traffic through this bridge, unless you add firewall-rules to
let it pass. This way you can assign IP-addresses as you wish, without the
boundaries of subnetting.

Concerning the use of private IP's, I don't know if you can do 1:1 or server
NAT from addresses out of the LAN range...

Joachim

> -----Original Message-----
> From: Juergen Moellenhoff [mailto:jm at oic dot de]
> Sent: donderdag 25 maart 2004 18:15
> To: Christiaens Joachim
> Cc: m0n0wall at lists dot m0n0 dot ch
> Subject: Re: [m0n0wall] How to configure MonoWall for public IPs on
> LAN/DMZ?
> 
> 
> Hi,
> 
> so this means I could use the /25 LAN-Net with the /28 DMZ-Net when I 
> use the filtering bridge (between LAN/DMZ)? The settings for the LAN 
> would be the same (see below) and for the DMZ I could use
> 
> Net:      xxx.xxx.240.112
> Netmask:  255.255.255.240 or /28
> Range:	  xxx.xxx.240.113 - xxx.xxx.240.126
> DMZ-IP:   xxx.xxx.240.113
> 
> And this way I can reach the systems in the DMZ from the WAN and the 
> opposite way? Hmmm... the filtering bridge is open per default which 
> means no rules that block traffic, right?
> 
> Is another option to use private IPs just for the DMZ? And 
> then I must 
> forward certain public IPs from the WAN (but of course from 
> the public 
> IP-Range of the LAN) to the private IPs in the DMZ? Is this an option 
> that could work?
> 
> Btw. thank's for the quick answer!
> 
> Bye,
> 

> 
> 
> Christiaens Joachim wrote:
> >>-----Original Message-----
> >>From: Juergen Moellenhoff [mailto:jm at oic dot de]
> >>Sent: donderdag 25 maart 2004 17:03
> >>To: m0n0wall at lists dot m0n0 dot ch
> >>Subject: [m0n0wall] How to configure MonoWall for public IPs 
> >>on LAN/DMZ?
> >>
> >>
> >>Hi,
> >>
> >>I searched the mailing list and saw that it's possible to 
> >>turn off the 
> >>NAT-Feature of MonoWall so that I can use public IPs on the LAN/DMZ 
> >>interface (with Smoothwall or IPCop I can't do this) and now 
> >>I just try 
> >>to figure out how to configure everything correctly (I'm a 
> >>network noob :)).
> >>
> >>My net/configuration for MonoWall looks like this:
> >>
> >>LAN:
> >>Net:      xxx.xxx.240.0
> >>Netmask:  255.255.255.128 or /25
> >>Range:    xxx.xxx.240.1 to xxx.xxx.240.126
> >>LAN-IP    xxx.xxx.240.1
> >>
> >>WAN:
> >>Net:      xxx.xxx.233.8
> >>Netmask:  255.255.255.252 or /30
> >>Gateway:  xxx.xxx.233.9
> >>WAN-IP:   xxx.xxx.233.10
> >>
> >>I thought to cut some IPs from the LAN-Net for the DMZ for 
> >>example the 
> >>range from xxx.xxx.240.113 to xxx.xxx.240.126 (Net xxx.xxx.240.112, 
> >>Netmask 255.255.255.240 or /28) but I don't know if this 
> really works 
> >>because the LAN has still the range from 1 to 126 through the 
> >>/25 mask 
> >>and when I use a /26 mask the range is to small, is there another 
> >>solution or is it not a problem at all?
> >>
> >>For the "rest" I just have to turn on "Enable advanced 
> >>outbound NAT" so 
> >>that MonoWall uses no NAT, right? And then I can add rules to 
> >>Block/Pass 
> >>traffic for LAN/DMZ/WAN?
> >>
> >>Is this in short the way I can configure MonoWall for public IPs on 
> >>LAN/DMZ or is there something I missed? I'm open for any 
> suggestions 
> >>especially for the DMZ part .
> >>
> >>Bye,
> >>

> >>
> > 
> > 

> > 
> > your conclusions seem correct.
> > 
> > You will have problems with overlapping subnets, as the 
> hosts in the /25
> > subnet will 'think' the hosts in the overlapping /28 subnet 
> are connected
> > locally, and thus not use the default gateway.
> > 
> > Another approach would be to bridge the DMZ with the LAN 
> interface. When you
> > enable the filtering bridge, you could do firewalling 
> between DMZ, LAN and
> > WAN, AND not be dependant on subnets to divide your public 
> subnet between
> > your DMZ and your LAN.
> > 
> > Hope this helps,
> > Joachim
> 


-----------------------------------------------
MISSION STATEMENT 
-----------------------------------------------

effectively by offering innovative print and document management products
and services for professional environments.

-----------------------------------------------
DISCLAIMER 
-----------------------------------------------
This e-mail message and any attachment are intended for the sole use of the
recipient(s) named above and may contain information which is confidential
and/or protected by intellectual property rights.
Any use of the information contained herein (including, but not limited to,
total or partial reproduction, communication or distribution in any form) by
other persons than the designated recipient(s) is prohibited.

If you have received this e-mail in error, please notify the sender either
by telephone (0032-2-729.48.11) or by e-mail and delete the material from
any computer.
Oce-Belgium/Oce-Interservices is nor responsible for the correct and
complete transfer of the contents of the sent e-mail, neither for the
receipt on due time.  This e-mail message does not bring about a contractual
obligation for Oce-Belgium/Oce-Interservices.

Thank you for your cooperation.

For further information about Oce-Belgium/Oce-Interservices please see our
website at www.oce.be

-----------------------------------------------