|
||||||||||
I think that this is a firewall issue not a NAT issue. By default, the DMZ interface will not be able to talk to *ANYTHING*. The firewall rule on the LAN interface that states LAN net:any -> *.any will allow the LAN to talk to the DMZ and WAN. If you want the DMZ to talk to the LAN you will have to add a rule or rules to allow the traffic. You can create a Pass DMZ net:any -> *:any, but this would be insecure. I would recommend that you only open the ports that are absolutely needed. If you need the DMZ to talk to your DNS, open DNS. Other than DNS what traffic do you want to pass from DMZ to LAN? On the types of NAT: Inbound NAT is when you map specific ports destined for your WAN IP to be forwarded to an Internal IP (LAN or DMZ). You will need to add firewall rules (can be done automatically) to allow the traffic. (Other firewalls call this "port forwarding") Server NAT is when you want a multiple IPs on the WAN interface - you may need Proxy ARP for the external IPs to work - depends on your WAN connection. You can then add Inbound NAT using these additional IPs. See Inbound NAT above - firewall rule creation still applies. 1:1 NAT is when you map *ALL* ports of an external IP to *ALL* ports of an internal IP - again you may need Proxy ARP for the external IPs to work. I believe you still need to add firewall rules to allow traffic into the IP (not done automatically). I have not used this, but that is how I *THINK* it is supposed to work. (Correct me if I am wrong...) What I am *NOT* sure of is how the firewall rules are written. For the external IP or the internal IP? On the WAN interface or LAN/DMZ interface? Or External IP for WAN interface and Internal IP for LAN/DMZ? Outbound NAT - I really have no Idea, this is my theory. I have read the description on the WebGUI. I think you can make outbound packets look like they are originating from an IP other than the default WAN IP. For example WAN IP is 10.0.0.1 with 10.0.0.2 as an additional external IP. Packets from 172.16.0.1 (on the LAN) look like they originated from 10.0.0.2 instead of 10.0.0.1 (default WAN IP). You would need to create multiple rules, some to handle specific source IPs and some generic source IPs. This is because with this enabled, automatic mappings are *NOT* created. With this Disabled WAN IP is used by default and mappings are automatically created. Again, I do not use this, this is just my theory on how it works. Someone correct me if I am wrong. Related: Proxy ARP allows the WAN interface to respond for IPs other than the WAN IP - only works when WAN is static IP or DHCP (not for PPPOE/PPTP). Most of this is paraphrased from notes on the WebGUI. _________________________________ James W. McKeand -----Original Message----- From: Sven Kobow [mailto:s dot kobow at maul dash theet dot de] Sent: Friday, September 03, 2004 5:07 AM To: James W. McKeand Subject: Re: [m0n0wall] Problems with DNS server replication I tried to get the explained solution to work but without any success. But i think I found out what is going wrong: I discovered that I can not access any machine in my internal network from my DMZ but I'm not having any problems the other way round. I configure my monowall to do 1:1 NAT on the WAN interface. I am not so familiar with the different types of NAT so that was the only type that i got working. I guess I have to configure NAT from the DMZ to LAN to get things working, right? Can anybody explain the different type of NAT to me or tell me the most secure way to solve the problem? Thanx Sven James W. McKeand wrote: > I think you need two rules: > > Interface Source : Port -> Dest : Port > DMZ <BIND> : 53 -> <MS DNS>: 53 > LAN <MS DNS>: 53 -> <BIND> : 53 > > <BIND> being your Linux box on your DMZ <MS DNS> being your Microsoft > box on LAN (AT 192.168.10.100 from the syslog > below) > > I would suggest setting up alias for your MS and Linux Box - these are > just shortcuts for creating firewall and NAT rules. In other words you > can use the name of your box instead of the IP address when creating > rules. The other advantage is that if you need to change the IP of a > server, do not need to edit *ALL* the rules - just the alias. > > If the rules don't work, it could be a problem with the Microsoft DNS > not accepting the connection from the Linux box. I am assuming that > this worked before you setup the m0n0wall. On the zone in question, is > the Linux box listed as a Name Server for the zone (I assume yes)? Is > zone transfers enabled (mine is *NOT* by default - SBS2003)? Is the > Linux box shown as "allowed" to zone transfer? What IPs are shown - have these changed? > > _________________________________ > James W. McKeand > > > -----Original Message----- > From: Sven Kobow [mailto:s dot kobow at maul dash theet dot de] > Sent: Thursday, September 02, 2004 6:21 AM > To: m0n0wall mailling list > Subject: [m0n0wall] Problems with DNS server replication > > Hi, > > I need the following problem to be solved: > > I got my internal net 192.168.10.0/24 and a DMZ 192.168.0./24 > connected by m0n0wall. In both subnets are DNS (MS DNS internal, BIND > DMZ) servers. The DNS server in my internal net has the master zone > for my domain and the DNS in the DMZ has a slave zone. The problem is > that replication does not work properly. I checked syslog on my Linux box running BIND and found: > > Sep 2 12:13:30 <LINUXBOX> /usr/sbin/named[11906]: refresh_callback: > zone foo.bar/IN: failure for 192.168.10.100#53: timed out Sep 2 > 12:13:30 <LINUXBOX> /usr/sbin/named[11906]: refresh_callback: > zone foo.bar/IN: 192.168.10.100#53: retries exceeded > > I need to know how to setup rules for this to work! > > Thanx > > Sven > > > -- Mit freundlichen Grüßen Sven Kobow --------------------------- Maul-Theet Systeme GmbH --------------------------- Mannheimer Str. 33-34 D-10713 Berlin Tel.: +49(0)30 861 14 20 FAX : +40(0)30 86 40 96 81 --------------------------- http://www.maul-theet.de --------------------------- |