[ previous ] [ next ] [ threads ]
 
 From:  Chet Harvey <chet at pittech dot com>
 To:  Terry Miller <terry at millfam dot org>
 Cc:  'Rodman Frowert' <frowertr at i dash 1 dot net>, m0n0wall at lists dot m0n0 dot ch
 Subject:  RE: [m0n0wall] Unable to ping DMZ hosts from LAN
 Date:  Tue, 7 Sep 2004 15:19:45 -0400
mmmm I don't agree with this as it would defeat the purpose of a DMZ. You 
should be able to simply add a rule to allow all LAN traffic to the DMZ. You 
will need a static route from the LAN to the DMZ since they are on different 
networks. That should cover it. You would never want to allow any traffic from 
the DMZ to your LAN unless it was for a specific reason.

I have a net4521 with one wifi card for internal use (LAN) and the second as 
the captive portal in "DMZ" mode. I also have the second NIC as a server DMZ.

I have one rule for each DMZ:

Proto:    Source:    Port:    Destination:    Port:
*         Lan        *        Opt2            *

I also have a static route for LAN > DMZ


wish I could see my box from here so I could give a SS.



Chet Harvey
Pitbull Technologies <http://www.pittech.com/> 
Protecting your Digital Assets
703.407.7311


Quoting Terry Miller <terry at millfam dot org>:

> There will also need to be a rule on the lan interface that allows traffic
> from the dmz to the lan. 
> 
> 
> -----Original Message-----
> From: Rodman Frowert [mailto:frowertr at i dash 1 dot net] 
> Sent: Tuesday, September 07, 2004 11:47 AM
> To: m0n0wall at lists dot m0n0 dot ch
> Subject: Re: [m0n0wall] Unable to ping DMZ hosts from LAN
> 
> 
> Hey Terry,
> 
> Yes the machines (actually they are wireless access points) are set to 
> respond to pings.  I can ping them through the webgui interface of m0n0 just
> 
> fine.  They are also set to use m0n0 as their gateway.  They work just fine 
> as far as using them for access points for my hotspot.  I just can't talk to
> 
> them from my LAN. :-(
> 
> >Do the firewalls allow telnet and ICMP?
> 
> Well, they only firewall for my LAN device is:
> 
> Proto:    Source:    Port:    Destination:    Port:
> *            Lan net       *       *                    *
> 
> I assume this would allow anything to pass to the DMZ (as well as everywhere
> 
> else) as long as I don't specifically have a rule set for the DMZ interface 
> to block LAN requests...
> 
> I tried setting up a firewall rule in the DMZ and put it at the top that 
> had:
> 
> Proto:    Source:    Port:    Destination:    Port:
> *            Lan net       *       DMZ            *
> 
> and...
> 
> Proto:    Source:    Port:    Destination:    Port:
> *            *             *         *                    *
> 
> Neither of these had any effect.  I still can't talk to any of the AP's in 
> my DMZ from my LAN.
> 
> Rodman
> 
> ----- Original Message ----- 
> From: "Terry Miller" <terry at millfam dot org>
> To: <m0n0wall at lists dot m0n0 dot ch>
> Sent: Tuesday, September 07, 2004 11:18 AM
> Subject: RE: [m0n0wall] Unable to ping DMZ hosts from LAN
> 
> 
> Is the machine in the dmz set to use monowall as the default gateway and
> respond to pings? Do the firewalls allow telnet and ICMP?
> 
> I was just burned on step 1 last week.
> 
> 
> 
> -----Original Message-----
> From: Rodman Frowert [mailto:frowertr at i dash 1 dot net]
> Sent: Tuesday, September 07, 2004 10:34 AM
> Cc: m0n0wall at lists dot m0n0 dot ch
> Subject: [m0n0wall] Unable to ping DMZ hosts from LAN
> 
> 
> Hey guys,
> 
> I looked through the archives and didn't find any answers I thought would be
> 
> beneficial to me so I thought I would ask.  I can't seem to ping anything in
> 
> the DMZ (other than my m0n0 DMZ interface) from my LAN.  Now I can ping DMZ
> hosts from the m0n0 GUI, however.
> 
> Is there something that is set that is preventing me from talking to DMZ
> hosts from my LAN?  I only have one LAN rule and it is the default rule that
> 
> was enabled with m0n0 was installed:  Default LAN --> any.  The DMZ rules I
> have set apply to what can come out of the DMZ only because this is my
> hotspot.
> 
> I would like to eventually put a webserver in my DMZ, so you can imagine I
> at least need telnet access to the machine from my LAN.
> 
> My LAN is 192.168.1.x/24
> My DMZ is 10.10.10.x/24
> 
> What am I missing?  Am I going to have to bridge these two to do what I want
> 
> to do?
> 
> Rodman
> 
> 
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> 
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> 
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> 
>