[ previous ] [ next ] [ threads ]
 From:  Falcor <falcor at netassassin dot com>
 To:  Jeanne <techielists at regionalhelpwanted dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] newbie DMZ question
 Date:  Tue, 01 Jun 2004 21:53:23 -0500
unless you change the subnet you need to instruct the machines on your 
DMZ to use x.x.x.241 as the gateway.

The proper way to do this would be to have the ISP route all traffic for 
x.x.x.240/28 to your WAN interface.  Then subnet the /28 and assign the 
subnets to your DMZ setting the proper subnet mask for each interface so 
it reflects your division of the network.  If you did this then you 
would end up with a gateway IP for the DMZ interface, and the internal 
route statement on the firewall would understand sending traffic to the 
different networks.  Then you would need to add rules allowing traffic 
to/from the DMZ etc.

If you don't do it this way then you will need to setup ARP forwarded IP 
addresses from the firewall's WAN interface to the DMZ hosts.  Not so 
good to do for your setup.

Someone may have another trick, but that is the proper way of doing this 
no matter what firewall / router you are using.

The difference is that your 3com probably did the subnet mask for you, 
and although there were probably issues with SAP and RIP and such on 
your DMZ segments the 3com accommodated it.  E.g. you specified an IP 
range, and it did the bit math but the servers still had /28 subnet masks.

Jeanne wrote:

>I am replacing a 3com firewall and need to keep the IP addressing as is. Nat/Firewall is working
fine for the LAN. I cannot configure the DMZ. Machines on the DMZ cannot ping the Wan or the
>ISP issued block: x.x.x.240/28
>WAN x.x.x.251/28
>ISP designated gateway for this block: x.x.x.241
>Machines in the DMZ have public IPs within this x.x.x.240/28 block. For example, our web server is
x.x.x.252 with a gateway of x.x.x.251, and an ftp server is x.x.x.246. The 3com allows for 2 DMZ
ranges of x.x.x.242-250 and 252-254. m0n0wall appears to allow only a single DMZ net.
>For the moment I am allowing all traffic to and from the DMZ:
>Wan interface -- Proto: * Source: DMZ Net Port: * Destination: * Port: *
>DMZ Interface -- Proto: * Source: * Port: * Destination: DMZ net Port: *   
>Please know that I have searched the archives, but I'm still stumped. Thanks for your time.
>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch