Firewall/NAT

I've tried a bunch of different ways to set this up but I can't get it clear in my head how it works so every time I try it I get frustrated and confused easily. Here's what I'm trying to do:

* Two public IP addresses at the same location, each one goes to a different m0n0wall
* Each m0n0wall has a separate private LAN subnet, let's say 192.168.0.0/24 and 192.168.1.0/24
* I can setup a VPN between the two using IPsec, and ping back and forth from the two networks, ssh and so on
* Say I have a file server on each network with two nics cards each, and one on each is configured as a client to each network (192.168.0.10, and 192.168.1.10)
* Can I use the other nic to connect to each other? Would I need a third subnet space, like 192.168.2.0/24 (say 192.168.100.10 and 192.168.100.100)? Or should I have one be in the other's address space?

Then what if I wanted to access one of the machines from the other network's public IP, is that what I would use a static route for? I would add a route on the m0n0wall to the machine that's on the same network, but use the address of the card that is in the shared ip space with the other computer, ie 192.168.100.10?

Thanks to anyone who can help me better understand how routing works! :-)

Is this just a super easy task that I should know how to do??

Hi,
I suspect that the lack of response to your post is because we are all thinking Why??  For a single physical location, why would you route local traffic i.e. one LAN subnet to the other via a VPN that goes through the outside world.  Could you explain in as simple terms what you are trying to achieve.  Do you have 2 separate internet connections or just 2 IP addresses on one connection?  What role are the servers playing and who needs to access them.  It looks like you may be over complicating things a smidge.

Hi markb - thanks for responding and asking for more information. I actually have a good reason to do this... or at least what I think is a good reason. I use m0n0wall a a firewall for my LAN clients, like me surfing the web, but I also have a "testing ground" of public services, sometimes to setup a temporary DAV server for a client to try out remotely. Therefore, I use one of my IPs more my office computers, and one of my public servers. If I had both those networks behind the same m0n0wall, it would be difficult to see the public servers as my clients do, because NAT'd ports cannot be accessed from behind the firewall.

Let me try to be clearer:

Public IP: 1.2.2.1
My computer private IP: 192.168.123.123
My server private IP: 192.168.123.55

If I map 1.2.2.1:80, people on the outside can see 192.168.123.55:80 at 1.2.2.1:80, but I can't, I have to go directly to 192.168.123.55:80. Not a big deal most of the time, but when you start dealing with host names (like most clients want you to), public / private DNS, it gets to be a hassle to have to update the dns forwarder table in m0n0wall.

Oh by the way I finally did find out a situation where I needed a static route. I have two vpns, and behind one vpn I can ping a private dns server on the other. But if I setup m0n0wall to use that private ip on the other lan to use that as a dns server, it can, because its trying to go through the default gateway, but since its a private ip, its a no go. By using a static route, I can point it to use the vpn gateway of the other machine to reach the dns server. Confusing stuff, its so cool that with m0n0wall I can learn by doing.

I wouldn't do this at all.  It's making a big mess of a network, for only the purpose of avoiding split DNS. (unless I'm missing something)

If you want to see things as they're seen from the outside, maybe just use the second box as a home for a test machine. You could dual home that test machine on your internal network so you could RDP or VNC or whatever into it, just don't use a gateway on the second NIC.

I have to agree with cmb.  It seems to be a very complicated way to do things.  Cmb would be able to confirm this, but I think that you could achieve what you are after with one more public IP address and bridge to a DMZ network.  Then there would be no need for the NAT.  Your public IP would exist on your DMZ network and you could access directly.

I'm surprised to hear you guys think this make a big mess of a network. I feel like its simplifying things, but maybe that's just my preference.

Based on my experience with the static route for internal DNS, I think I might be able to achieve what I'm aiming for with that.

Say I have a 3 port m0n0:
1.2.2.3  - public ip wan
192.168.5.5 - client of another lan
192.168.123.1 - gateway / router for 192.168.123.0/24

And another 2 port m0n0:
1.2.2.4 - public ip wan
192.168.5.1 - gateway / router for 192.168.5.0/24

Can I add a static route on the two port router for members of 192.168.5.0/24 to access the 192.168.123.0/24 network without going through the default gateway? I'll give that a try and see what happens.

Also - I am a big fan VNC, but I don't think that's the right solution for this situation. I guess I'm trying to figure out the best way to network my services for public, private, internal, external, etc. etc. etc., but I'm learning as I go so I'm sure I'm doing things in the not most logical way.

Oh hey markb, I just re-read your message, that idea of having another public ip bridged over a DMZ sounds interesting.... let me see if I understand.

LAN1
1.2.2.3 - pub ip
1.2.2.4 - dmz
192.168.123.0/24

LAN2 (now 3 ports)
1.2.2.5 - pub ip
1.2.2.6 - dmz
192.168.5.0/24

Hmmm, I'm confused about where the bridge would go and how the two networks would get connected.

Hi, I have just had a look at the the page on Bridged networks, check it out. http://doc.m0n0.ch/handbook/examples-filtered-bridge.html You would still have the same problem of not being able to contact the boxes through a NAT'd interface if you used 1 Mono with 3 interfaces.  However, the solution would be to have a second Mono with it's WAN interface on a public IP address on the DMZ. And your LAN behind it.  This way the LAN clients could connect fine to the Server via it's public IP address and so could your external clients.
You would require a 29bit segment from your ISP as you would require a minimum of 3 ip addresses, 1 for the external IP of the First Mono, 1 for your server and 1 for the second Mono.

Hi Markb, thanks for the follow up. I've got a 28 bit subnet for this exact purpose, and SSL certs. I haven't tried the static route yet... soon.