Firewall/NAT

While I feel pretty comfortable with configuring a single WAN address, I am not sure at all about how to do this.

I have a block of  ip's ending with .169-.173, with the gateway at .174.  I would like to:

Map .169 to, say, the LAN port and run NAT on it.

Is your IP block adress 169 - 173 a public block ? I can not exactly figure out what you want to do.

That's because the message got cut off -- sorry.  Not sure how that happened.

Basically, I want to map each of 4 different static IP's assigned to me from my ISP to each of 4 different LAN segments.  I want to run NAT on each LAN segment.  I want to use a single m0n0wall box.

I think the right way to do this is to have a rule on each LAN segment/interface that ignores all traffic from the WAN other than for the static IP to which it is associated, then run NAT on each segment.  I also want to put in some more firewall statements.  What keeps throwing me is that I don't really understand the semantics of the tabs on the Firewall page. 

If I create a rule in the OPT1 section/tab that has as a source the WAN interface, what does that mean?  Will the rule only be processed with respect to the OPT1 interface?  Or are the tabs merely a convenience for grouping things?  If the latter is the case, then I can't use a block or reject rule, since that rule would always deny the other interfaces any traffic at all, since that would be the first rule that matches and processing would stop. 

Do I have to bridge all four segments to get this to work?  I really want to be able to use NAT to drive traffic to several different servers on one NAT segment based on port number.  Does bridging preclude NAT?

Assuming my original idea was correct, do I need to created "server NAT" entries?  Or can I, within each interface section/tab, just use the WAN interface and specify a destination of the associated external IP address?  If so, how does this interact with NAT?

I have only ever needed to deal with a single IP before, and have never needed bridging, so I don't know much about its strengths and limitations.

I would have just experimented, but I can't really try it right now, since I only get a 5 minute trial window every few days.  Once it works minimally I can have more time, since I can leave the device in.

Any help appreciated.

If you have been assigned multiple addresses by your ISP you would have to add those addresses to your server nat except for the IP address used by your monowall box as it obviosly already knows about that address.

eg
Server NAT Page

External IP address      Description
xxx.xxx.xxx.170             svr1
xxx.xxx.xxx.171             svr2
xxx.xxx.xxx.172             svr3
xxx.xxx.xxx.173             svr4

When you are creating NAT`d ports you can now use the external address from a drop
down list containing the above.

Remember all traffic leaving your lan will go out by default through the main moonowall external IP
this can be problematic with outbound mail servers etc, so you can then use advance outbound NAT
to control the External ip that a host will communicate on.

eg
NAT Outbound page

IFACE      SOURCE            DEST     TARGET
WAN        svr1                    *          xxx.xxx.xxx.170


Hope this helps