[ previous ] [ next ] [ threads ]
 
 From:  "Brian Buys" <bbuys at tritel dot com>
 To:  =?iso-8859-1?Q?J=FCrg_Schneider?= <Juerg dot Schneider at fabrimex dot ch>, "M0n0wall \(E-Mail\)" <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] newbie DMZ question **success**
 Date:  Tue, 8 Jun 2004 15:14:35 -0600 
OK, I think I have this working properly!  I have to get my test server
configured with some additional services before I know for sure, but I was
successful using http as my test service.

Here's how I did it (using Jeanne's subnet #'s for the example):

Take my /28 subnet from ISP, divide it into (2) /29 subnets.

WAN interface = .242/29
WAN gateway = .241

DMZ interface = .249/29
DMZ server = .250/29, with gateway pointing to .249

**Establish firewall rules**
WAN - allow: protocol = tcp   source = any     destination = DMZ server ip

DMZ - allow *.* (for testing only, to make sure I could talk from DMZ to LAN
and DMZ to WAN, this rule will not exist in final cut.

LAN - can access DMZ and WAN by default.

**Additional Settings**
Proxy ARP entry for entire DMZ subnet, using DMZ net ID (i.e.  .248/29)

Server NAT = called the ip address for the DMZ server

Outbound NAT - *enabled* advanced outbound NAT.  As soon as I did this, I
had WAN to DMZ access.  Writing an advanced rule for my LAN gave it WAN and
DMZ access again.


I am still going to do some more tests on this, but plan on writing up a
configuration faq or howto for this once I am satisfied it is working
completely.  Thanks Jurg for the tips on the proxy arp and the server nat!

Brian

----- Original Message ----- 
From: "Jürg Schneider" <Juerg dot Schneider at fabrimex dot ch>
To: "M0n0wall (E-Mail)" <m0n0wall at lists dot m0n0 dot ch>
Sent: Tuesday, June 08, 2004 11:09 AM
Subject: Re: [m0n0wall] newbie DMZ question


> Let's go back to the list.
>
> > Does this actually work for you, because it doesn't work for
> > me. I've tried this. With this setup, not even my LAN can
> > reach the WAN IP. Monowall config looks like this:
> >
> > WAN:
> > x.x.x.242/29
> > Gateway x.x.x.241
> >
> > DMZ:
> > x.x.x.249/29
>
> Ok
>
> > From a DMZ machine I can't reach the WAN or the ISP gateway.
> > From the ISP Gateway I can't reach the WAN or anything on the
> > DMZ. What do your DMZ machines use as gateways (the WAN IP or
>
> The DMZ interface of m0n0wall.
>
> > the ISP gateway IP)? How is your ISP routing traffic to your
> > /28 (or does your ISP route to each /29 differently)? I know
>
> All together, he doesn't know about my subnet.
>
> > how to subnet - what I don't know is how to set up monowall
> > to move traffic through my WAN to the DMZ behind it.
> >
>
> I've specified the DMZ server in 'Server NAT' and the /29 DMZ net
> in 'Proxy Arp'. Then apropriate rules WAN -> DMZ and some for
> DMZ -> WAN.
>
> @Brian:
> I haven't special route for the DMZ, the routing daemon is handling
> this. The settings above should be enough. I've a special route to
> a far LAN (behind another router), so I use 'Enable advanced outbound
> NAT', but this shouldn't care the DMZ.
>
> Jürg
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>