[ previous ] [ next ] [ threads ]
 From:  =?iso-8859-1?Q?J=FCrg_Schneider?= <Juerg dot Schneider at fabrimex dot ch>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  AW: [m0n0wall] newbie DMZ question **success**
 Date:  Wed, 9 Jun 2004 01:39:19 +0200
> OK, I think I have this working properly!  I have to get my 
> test server
> configured with some additional services before I know for 
> sure, but I was
> successful using http as my test service.

Nice to hear.

> Here's how I did it (using Jeanne's subnet #'s for the example):
> Take my /28 subnet from ISP, divide it into (2) /29 subnets.
> WAN interface = .242/29
> WAN gateway = .241
> DMZ interface = .249/29
> DMZ server = .250/29, with gateway pointing to .249
> **Establish firewall rules**
> WAN - allow: protocol = tcp   source = any     destination = 
> DMZ server ip


> DMZ - allow *.* (for testing only, to make sure I could talk 
> from DMZ to LAN
> and DMZ to WAN, this rule will not exist in final cut.

According to your OS you will need some. I've currently:

DNS to DMZ IP of m0n0wall (forwarder).
NTP to my favorite timeserver.
HTTP and FTP to Debian Mirrors.

> **Additional Settings**
> Proxy ARP entry for entire DMZ subnet, using DMZ net ID (i.e. 
>  .248/29)
> Server NAT = called the ip address for the DMZ server
> Outbound NAT - *enabled* advanced outbound NAT.  As soon as I 
> did this, I had WAN to DMZ access.  Writing an advanced rule 
> for my LAN gave it WAN and DMZ access again.

I'm not shure, but I think this will not be necessary, if you 
use official IPs. I've 'Advanced Outbound NAT' for my other LAN
segments. Does your DMZ server have a additional private IP?
You could do also a DMZ with '1:1 NAT' and private IPs. Then it 
will be necessary.