[ previous ] [ next ] [ threads ]
 
 From:  "Brian Buys" <bbuys at tritel dot com>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Publicly addressable DMZ
 Date:  Tue, 18 May 2004 17:11:40 -0600
Hello everyone,

First, let me say that I am very impressed with the m0n0wall.  I found it
while looking for a solution for work (which is to be the subject of the
coming question) but plan on implementing this at home as soon as I can get
a box to put it on.

Let me say up front that I have spent a good deal of time researching this
setup on the list archive, and the did find one report of a successful
configuration, along with lots and lots of debate as to whether it would
work or not.

Here is my setup:

DSL (63.xxx.xxx.198/29)
                |
WAN (63.xxx.xxx.197/30)
                |
            m0n0------------------------
                |                                       |
LAN (192.168.1.0/24)            DMZ (63.xxx.xxx.193/30)

The basic idea is that I want to take my isp assigned ip address pool and
use some of them in a DMZ setup, so that I can have some server machines
(one is a VOIP machine) publicly addressable, yet still behind some firewall
protection.  NAT is not an option at this point, as it causes other
complications with remote IP phones.

Everything I have found in the list archive seems to indicate that I can
either bridge the DMZ to the WAN, and lose access to it from the LAN, or
give the DMZ interface an ip address and lose access from outside the WAN
due to the NAT feature being on by default.  However, I want to be able to
reach the DMZ from both the LAN and from outside the WAN without using NAT.

In this thread
http://m0n0.ch/wall/list/?action=show_msg&actionargs[]=9&actionargs[]=95
from Oct 2003, Adrian Wiesmann claims to have a similar setup working by
*enabling* advanced outbound NAT (hence turning off the NAT feature on the
DMZ) and then writing an outbound NAT rule for his LAN.  I tried this
earlier today, but still can not get it to work properly (I am wondering if
I wrote the advanced rule incorrectly).

If m0n0wall is capable of this type of configuration, perhaps someone has a
suggestion that I am overlooking?  I feel that I am very close to getting
this to work, but maybe that is just wishful thinking?  Am I wasting time
trying to make m0n0wall do something beyond its intended scope?  If so,
could someone recommend another system I might try to make this work?

Thank you in advance,

Brian Buys