[ previous ] [ next ] [ threads ]
 
 From:  Jeanne <techielists at regionalhelpwanted dot com>
 To:  Falcor <falcor at netassassin dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] newbie DMZ question
 Date:  Mon, 7 Jun 2004 17:24:47 -0400
On Tue, 01 Jun 2004 21:53:23 -0500
Falcor <falcor at netassassin dot com> wrote:

> The proper way to do this would be to have the ISP route all traffic for 
> x.x.x.240/28 to your WAN interface.  Then subnet the /28 and assign the 
> subnets to your DMZ setting the proper subnet mask for each interface so 
> it reflects your division of the network.  If you did this then you 
> would end up with a gateway IP for the DMZ interface, and the internal 
> route statement on the firewall would understand sending traffic to the 
> different networks.  Then you would need to add rules allowing traffic 
> to/from the DMZ etc.
> 
> If you don't do it this way then you will need to setup ARP forwarded IP 
> addresses from the firewall's WAN interface to the DMZ hosts.  Not so 
> good to do for your setup.
 

Falcor,

I get ethernet from my ISP. All traffic headed for x.x.x.240/28 is routed through x.x.x.241 on his
end. This is a Layer 2 VLAN. On this same physical wire is the WAN at x.x.x.251/28 - that's the next
place that all traffic has to go, regardless of the subnet. The DMZ port is attached to a switch.
Attached to that switch are all my DMZ machines. I can not reach any DMZ machine from the WAN, or
vice-versa, and machines on the DMZ certainly cannot reach the gateway and again vice-versa. The WAN
is not accepting or passing traffic to or from the DMZ. This leads me to think that either my rules
are wrong or this is Layer 2 issue. arp -a on the FreeBSD machine (the gateway) has:

(192.168.0.251) at mac_address_of_wan_interface
(192.168.0.252) at mac_address_of_wan_interface
(192.168.0.253) at mac_address_of_wan_interface

Should I see the proper mac address of the interface on the actual machines at 192.168.0.x? How does
one tell the WAN to listen for and accept traffic bound for the entire /28 on this physical link? I
tried enabling proxy ARP and saw no difference. 

Logs show no traffic at all passing between the DMZ and WAN in either direction. I would expect logs
to show something being blocked if my rules were incorrect:
On both the WAN and the DMZ interfaces I have:
proto	source	port	destination	port	
*	*	*	*		*

I am not ignoring your subnetting suggestion, I attempted this in a test scenario and it made no
difference. Bottom line is that traffic still has to go through the WAN to DMZ machines which should
be in the arp table, and I don't know how to make that happen. Perhaps subnetting is part of the
answer, but with no traffic passing in either direction it seems that something is still missing. 

Has anyone successfully set up a DMZ using public IPs and if so could you kindly tell me how to do
it?

Thanks,

Jeanne