[ previous ] [ next ] [ threads ]
 
 From:  Rick Spence <rjspence at tampabay dot rr dot com>
 To:  Rick Spence <rjspence at tampabay dot rr dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] newbie DMZ question **success**
 Date:  Mon, 7 Jun 2004 19:51:58 -0400
On Monday 07 June 2004 07:42 pm, you wrote:

Sad.... Directions given would have 
saved 4 hours.
No more comment.


> On Tuesday 08 June 2004 05:14 pm, Brian Buys wrote:
> > OK, I think I have this working properly!  I have to get my test server
> > configured with some additional services before I know for sure, but I
> > was successful using http as my test service.
> >
> > Here's how I did it (using Jeanne's subnet #'s for the example):
> >
> > Take my /28 subnet from ISP, divide it into (2) /29 subnets.
> >
> > WAN interface = .242/29
> > WAN gateway = .241
> >
> > DMZ interface = .249/29
> > DMZ server = .250/29, with gateway pointing to .249
> >
> > **Establish firewall rules**
> > WAN - allow: protocol = tcp   source = any     destination = DMZ server
> > ip
> >
> > DMZ - allow *.* (for testing only, to make sure I could talk from DMZ to
> > LAN and DMZ to WAN, this rule will not exist in final cut.
> >
> > LAN - can access DMZ and WAN by default.
> >
> > **Additional Settings**
> > Proxy ARP entry for entire DMZ subnet, using DMZ net ID (i.e.  .248/29)
> >
> > Server NAT = called the ip address for the DMZ server
> >
> > Outbound NAT - *enabled* advanced outbound NAT.  As soon as I did this, I
> > had WAN to DMZ access.  Writing an advanced rule for my LAN gave it WAN
> > and DMZ access again.
> >
> >
> > I am still going to do some more tests on this, but plan on writing up a
> > configuration faq or howto for this once I am satisfied it is working
> > completely.  Thanks Jurg for the tips on the proxy arp and the server
> > nat!
> >
> > Brian
> >
> > ----- Original Message -----

> > To: "M0n0wall (E-Mail)" <m0n0wall at lists dot m0n0 dot ch>
> > Sent: Tuesday, June 08, 2004 11:09 AM
> > Subject: Re: [m0n0wall] newbie DMZ question
> >
> > > Let's go back to the list.
> > >
> > > > Does this actually work for you, because it doesn't work for
> > > > me. I've tried this. With this setup, not even my LAN can
> > > > reach the WAN IP. Monowall config looks like this:
> > > >
> > > > WAN:
> > > > x.x.x.242/29
> > > > Gateway x.x.x.241
> > > >
> > > > DMZ:
> > > > x.x.x.249/29
> > >
> > > Ok
> > >
> > > > From a DMZ machine I can't reach the WAN or the ISP gateway.
> > > > From the ISP Gateway I can't reach the WAN or anything on the
> > > > DMZ. What do your DMZ machines use as gateways (the WAN IP or
> > >
> > > The DMZ interface of m0n0wall.
> > >
> > > > the ISP gateway IP)? How is your ISP routing traffic to your
> > > > /28 (or does your ISP route to each /29 differently)? I know
> > >
> > > All together, he doesn't know about my subnet.
> > >
> > > > how to subnet - what I don't know is how to set up monowall
> > > > to move traffic through my WAN to the DMZ behind it.
> > >
> > > I've specified the DMZ server in 'Server NAT' and the /29 DMZ net
> > > in 'Proxy Arp'. Then apropriate rules WAN -> DMZ and some for
> > > DMZ -> WAN.
> > >
> > > @Brian:
> > > I haven't special route for the DMZ, the routing daemon is handling
> > > this. The settings above should be enough. I've a special route to
> > > a far LAN (behind another router), so I use 'Enable advanced outbound
> > > NAT', but this shouldn't care the DMZ.
> > >

> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> > > For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> > For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch