[ previous ] [ next ] [ threads ]
 
 From:  Rick Spence <rjspence at tampabay dot rr dot com>
 To:  Monowall <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] newbie DMZ question
 Date:  Mon, 07 Jun 2004 07:33:05 -0400
Jeanne wrote:
> On Tue, 01 Jun 2004 21:53:23 -0500
> Falcor <falcor at netassassin dot com> wrote:
> 
> 
>>The proper way to do this would be to have the ISP route all traffic for 
>>x.x.x.240/28 to your WAN interface.  Then subnet the /28 and assign the 
>>subnets to your DMZ setting the proper subnet mask for each interface so 
>>it reflects your division of the network.  If you did this then you 
>>would end up with a gateway IP for the DMZ interface, and the internal 
>>route statement on the firewall would understand sending traffic to the 
>>different networks.  Then you would need to add rules allowing traffic 
>>to/from the DMZ etc.
>>
>>If you don't do it this way then you will need to setup ARP forwarded IP 
>>addresses from the firewall's WAN interface to the DMZ hosts.  Not so 
>>good to do for your setup.
> 
>  
> 
> Falcor,
> 
> I get ethernet from my ISP. All traffic headed for x.x.x.240/28 is routed through x.x.x.241 on his
end. This is a Layer 2 VLAN. On this same physical wire is the WAN at x.x.x.251/28 - that's the next
place that all traffic has to go, regardless of the subnet. The DMZ port is attached to a switch.
Attached to that switch are all my DMZ machines. I can not reach any DMZ machine from the WAN, or
vice-versa, and machines on the DMZ certainly cannot reach the gateway and again vice-versa. The WAN
is not accepting or passing traffic to or from the DMZ. This leads me to think that either my rules
are wrong or this is Layer 2 issue. arp -a on the FreeBSD machine (the gateway) has:
> 
> (192.168.0.251) at mac_address_of_wan_interface
> (192.168.0.252) at mac_address_of_wan_interface
> (192.168.0.253) at mac_address_of_wan_interface
> 
> Should I see the proper mac address of the interface on the actual machines at 192.168.0.x? How
does one tell the WAN to listen for and accept traffic bound for the entire /28 on this physical
link? I tried enabling proxy ARP and saw no difference. 
> 
> Logs show no traffic at all passing between the DMZ and WAN in either direction. I would expect
logs to show something being blocked if my rules were incorrect:
> On both the WAN and the DMZ interfaces I have:
> proto	source	port	destination	port	
> *	*	*	*		*
> 
> I am not ignoring your subnetting suggestion, I attempted this in a test scenario and it made no
difference. Bottom line is that traffic still has to go through the WAN to DMZ machines which should
be in the arp table, and I don't know how to make that happen. Perhaps subnetting is part of the
answer, but with no traffic passing in either direction it seems that something is still missing. 
> 
> Has anyone successfully set up a DMZ using public IPs and if so could you kindly tell me how to do
it?
> 
> Thanks,
> 
> Jeanne
> 
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> 
> 
Have you tried static routing?

I don't have the block of external IP's here at the moment but it would 
seem that a combination of the correct rules per interface, static 
routing, and forwarding would solve the issues. With the pix and a /27 I 
did static routing.

67.12.4.8 --> 192.168.1.2
67.12.4.9 --> 192.168.1.3

Another suggestion is to use the named sequence. Give your nets/eth 
ports names. When you write rules it makes a huge difference.

allow/permit any from lan1 --> to lan2 etc...

The notes section at the bottom helps. Make a note on each rule as to 
what net is going where and allowing what. Your rules will end up pretty 
thick with static routes.

I'm not quite sure what the kick on mac addresses are about, but routing 
by IP is easier to work with. Routing external IP's is no different than
routing internal IP's. Just make sure you have a route and rules for 
external to internal. "Name" all of your interfaces.


This might give you some ideas:
These are static routes from outside=eth0 to inside=eth1 and what IP's 
are being used external/internal.

static (inside,outside) 66.128.117.3 192.168.128.2 netmask 
255.255.255.255 0 0
static (inside,outside) 66.128.117.4 192.168.128.4 netmask 
255.255.255.255 0 0

R Spence