OK, I think I have this working properly! I have to get my test server
configured with some additional services before I know for sure, but I was
successful using http as my test service.
Here's how I did it (using Jeanne's subnet #'s for the example):
Take my /28 subnet from ISP, divide it into (2) /29 subnets.
WAN interface = .242/29
WAN gateway = .241
DMZ interface = .249/29
DMZ server = .250/29, with gateway pointing to .249
**Establish firewall rules**
WAN - allow: protocol = tcp source = any destination = DMZ server ip
DMZ - allow *.* (for testing only, to make sure I could talk from DMZ to LAN
and DMZ to WAN, this rule will not exist in final cut.
LAN - can access DMZ and WAN by default.
Proxy ARP entry for entire DMZ subnet, using DMZ net ID (i.e. .248/29)
Server NAT = called the ip address for the DMZ server
Outbound NAT - *enabled* advanced outbound NAT. As soon as I did this, I
had WAN to DMZ access. Writing an advanced rule for my LAN gave it WAN and
DMZ access again.
I am still going to do some more tests on this, but plan on writing up a
configuration faq or howto for this once I am satisfied it is working
completely. Thanks Jurg for the tips on the proxy arp and the server nat!
----- Original Message -----
From: "Jürg Schneider" <Juerg dot Schneider at fabrimex dot ch>
To: "M0n0wall (E-Mail)" <m0n0wall at lists dot m0n0 dot ch>
Sent: Tuesday, June 08, 2004 11:09 AM
Subject: Re: [m0n0wall] newbie DMZ question
> Let's go back to the list.
> > Does this actually work for you, because it doesn't work for
> > me. I've tried this. With this setup, not even my LAN can
> > reach the WAN IP. Monowall config looks like this:
> > WAN:
> > x.x.x.242/29
> > Gateway x.x.x.241
> > DMZ:
> > x.x.x.249/29
> > From a DMZ machine I can't reach the WAN or the ISP gateway.
> > From the ISP Gateway I can't reach the WAN or anything on the
> > DMZ. What do your DMZ machines use as gateways (the WAN IP or
> The DMZ interface of m0n0wall.
> > the ISP gateway IP)? How is your ISP routing traffic to your
> > /28 (or does your ISP route to each /29 differently)? I know
> All together, he doesn't know about my subnet.
> > how to subnet - what I don't know is how to set up monowall
> > to move traffic through my WAN to the DMZ behind it.
> I've specified the DMZ server in 'Server NAT' and the /29 DMZ net
> in 'Proxy Arp'. Then apropriate rules WAN -> DMZ and some for
> DMZ -> WAN.
> I haven't special route for the DMZ, the routing daemon is handling
> this. The settings above should be enough. I've a special route to
> a far LAN (behind another router), so I use 'Enable advanced outbound
> NAT', but this shouldn't care the DMZ.
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch