|
||||||||
Doh! I wondered about the static route, SW uses it so I recreated it in m0n0. The DMZ does not need to access the LAN in this situation but with SW it could ping it. I changed the rule as you suggested and plugged my laptop into DMZ and it pings 100.10 now! Thanks Manuel, you rock! Now to take it to client and replace that clunker SW! hehe. -----Original Message----- From: Manuel Kasper [mailto:mk at neon1 dot net] Sent: Tuesday, April 13, 2004 1:47 PM To: David Kitchens Cc: m0n0wall at lists dot m0n0 dot ch Subject: Re: [m0n0wall] Can't ping DMZ On 13.04.2004 13:24 -0400, David Kitchens wrote: > 192.168.200.3. Now the problem, the mail server in DMZ cannot be > pinged from LAN, it will not ping anything in the LAN or on the web. > It cannot get out and nothing can get in to it. I tried Don't forget that (ideally) DMZ hosts should not be able to access anything in the LAN subnet. > <rule> > <type>pass</type> > <interface>opt1</interface> > <source> > <network>lan</network> > </source> > <destination> > <any/> > </destination> > <descr>Default LAN -> any</descr> > </rule> Hmm, a pass rule on interface OPT1, but with source "LAN subnet"? That doesn't make sense - you'll probably want this rule to be "source = DMZ subnet" and "destination = not LAN subnet". Also, that static route for 192.168.100.0/24 doesn't make sense either if that subnet is on the OPT1 interface. You don't need it. - Manuel |