Firewall/NAT

Hi,
I'm trying to setup a test environment with some "talkative" servers that must remain separated from my production network.

I have exact copies of an Active Directory, a SQL Server, and a client machine. They are on their own test network that is physically disconnected from the production network.

I am now attempting to connect my test network and my production network with m0n0wall.

I am having trouble creating the proper rules.

I have my production network connected to the WAN interface, and my test network on the LAN interface.

First I created a block for all hosts with any protocol and placed that at the bottom of my firewall rules and built up from there:

-I have VNC running on all of the machines on my network, so port 5900 must be accessible from the WAN
-> LAN and LAN -> WAN.

-I would ideally like to ping my hosts in both directions so I enabled all types of ICMP traffic in both directions.

-I need web access on the computers on the LAN side so I allowed port 80 and 443 requests through the LAN

I think I am doing this correctly, but I may be misunderstanding the rules. Please take a look at my XML and let me know:

NOTE:
In my xml config, I created an alias named LAN for my lan side network (192.168.1.1 /24) and one for the WAN side (192.168.0.1 /24)

Hi Carl,
Most of this looks fine.  You have the following rules set up.
Allow traffic from WAN to WAN interface on port 80
Allow traffic from WAN to LAN subnet port 5900
Block all from WAN to Anywhere
Allow traffic from LAN subnet to WAN subnet port 80
Block All traffic from LAN to Anywhere

If you wish to get from the LAN to WAN using VNC you will need to add a rule to the LAN interface allowing 5900
There are no rules for https and icmp as you mentioned.

It looks like your understanding of the rules is fine though.  You will need to enable Advanced Outbound NAT though, which will remove the automatic NAT rules and enable you to get to the individual machines on the LAN to use VNC on them.

I think it's that Advanced Outbound NAT that was throwing me off before.

Yes, I do not have all the rules in place yet. I wanted to be sure I was on the right track before I added them all.

I had all of the rules in when I was trying it, and it did not work, so I wanted to start simple.

I'll do some testing with this new information.

Thank you!

I added all of the rules I required, and enabled advanced outbound NAT and everything looks like it's working just the way I desired!

For the advanced nat I had to add an outbound NAT entry to allow people to access the WAN interface from the LAN interface. This is obvious though.

Thanks for your help!!!