[ previous ] [ next ] [ threads ]
 
 From:  Kevin Williams <kevin at bantamtech dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  DMZ configuration troubles
 Date:  Sun, 25 Apr 2004 12:46:56 -0600
I've got a broadband Internet connection with a static IP address. I also
purchased a /29 subnet from my ISP. My static IP is xx.xx.xx.20/26 with a
gateway of xx.xx.xx.62. My /29 subnet is xx.xx.xx.81-86. (Yes, all the x's
represent the same numbers.) I've got one inbound NAT for port 22 on a machine
in the LAN.

I've tried bridging my DMZ nic with the WAN nic, with & without filtering. I've
tried using 192.168.2.* on the DMZ and doing 1:1 NAT. I've tried Server NAT.
I've tried each combination with & without Proxy ARP. The only time the
xx.xx.xxx.82 comes back with anything, it connects to the inbound NAT port 22
going to the LAN machine. I can't get this to work!

I know I can do 1:1 NAT if I put my servers in my LAN, but that's not a Good
Idea(tm). Can anyone give me some assistance, please?

Kevin

P.S. - Here's my config file, as of right now:

<?xml version="1.0"?>
<m0n0wall>
	<version>1.4</version>
	<system>
		<hostname>m0n0wall</hostname>
		<domain>home.bogus</domain>
		<dnsallowoverride/>
		<username>admin</username>
		<password>************</password>
		<timezone>America/Denver</timezone>
		<time-update-interval>300</time-update-interval>
		<timeservers>ntp1.tummy.com</timeservers>
		<webgui>
			<protocol>http</protocol>
			<port/>
			<certificate/>
			<private-key/>
		</webgui>
		<dnsserver>xx.x.xxx.210</dnsserver>
		<dnsserver>xx.x.xxx.206</dnsserver>
	</system>
	<interfaces>
		<lan>
			<if>rl0</if>
			<ipaddr>192.168.1.1</ipaddr>
			<subnet>24</subnet>
		</lan>
		<wan>
			<if>rl2</if>
			<blockpriv/>
			<spoofmac/>
			<mtu/>
			<ipaddr>xx.xx.xxx.20</ipaddr>
			<subnet>26</subnet>
			<gateway>xx.xx.xxx.62</gateway>
		</wan>
		<opt1>
			<if>rl1</if>
			<descr>DMZ</descr>
			<ipaddr>xx.xx.xxx.81</ipaddr>
			<subnet>29</subnet>
			<bridge/>
			<enable/>
		</opt1>
	</interfaces>
	<staticroutes/>
	<pppoe/>
	<pptp/>
	<dyndns>
		<type>dyndns</type>
		<username/>
		<password/>
		<host/>
		<mx/>
	</dyndns>
	<dhcpd>
		<lan>
			<enable/>
			<range>
				<from>192.168.1.100</from>
				<to>192.168.1.199</to>
			</range>
		</lan>
	</dhcpd>
	<pptpd>
		<mode/>
		<redir/>
		<localip/>
		<remoteip/>
	</pptpd>
	<dnsmasq>
		<enable/>
		<regdhcp/>
		<hosts>
			<host>bigblue</host>
			<domain>home.bogus</domain>
			<ip>192.168.2.22</ip>
			<descr>freebsd</descr>
		</hosts>
		<hosts>
			<host>gatewaypc</host>
			<domain>home.bogus</domain>
			<ip>192.168.1.4</ip>
			<descr>Gentoo RAID Jukebox and Print Server</descr>
		</hosts>
	</dnsmasq>
	<snmpd>
		<syslocation/>
		<syscontact/>
		<rocommunity>public</rocommunity>
	</snmpd>
	<diag>
		<ipv6nat>
			<ipaddr/>
		</ipv6nat>
	</diag>
	<bridge/>
	<syslog>
		<reverse/>
		<nentries>50</nentries>
		<remoteserver/>
		<nologdefaultblock/>
	</syslog>
	<nat>
		<rule>
			<protocol>tcp</protocol>
			<external-port>22</external-port>
			<target>192.168.1.4</target>
			<local-port>22</local-port>
			<descr>access to gatewaypc</descr>
		</rule>
		<rule>
			<protocol>tcp</protocol>
			<external-port>443</external-port>
			<target>192.168.1.4</target>
			<local-port>22</local-port>
			<descr>firewall-safe access to ssh</descr>
		</rule>
	</nat>
	<filter>
		<rule>
			<interface>wan</interface>
			<protocol>tcp</protocol>
			<source>
				<any/>
			</source>
			<destination>
				<address>192.168.1.4</address>
				<port>22</port>
			</destination>
			<descr>NAT access to gatewaypc</descr>
		</rule>
		<rule>
			<type>pass</type>
			<interface>wan</interface>
			<protocol>tcp</protocol>
			<source>
				<any/>
				<port>6881-6889</port>
			</source>
			<destination>
				<network>lan</network>
				<port>6881-6889</port>
			</destination>
			<descr>bittorrent</descr>
		</rule>
		<rule>
			<type>pass</type>
			<descr>Default LAN -&gt; any</descr>
			<interface>lan</interface>
			<source>
				<network>lan</network>
			</source>
			<destination>
				<any/>
			</destination>
		</rule>
	</filter>
	<shaper/>
	<ipsec/>
	<aliases/>
	<proxyarp>
	</proxyarp>
</m0n0wall>