General Questions

hello fellow monowall lovers 

i am intending to make a 3 router environment, having the monowall connected to a cablemodem on the wan port and two individual nat routers connected on the 2 lan ports.

thing is, i get several DYNAMIC IP's from the cablemodem over dhcp - ive managed getting the wan port suited with a public ip - now i want the two nat routers to also get a public ip (the monowall's nat is intended to be turned off)

which is the best way to accive this? ive read through the handbook, yet it seems to not be detailed enough when coming to dynamic wan ip's

thanks for your help! 

Maybe I'm missing something here, but what function, other than a hub or switch, will m0n0wall be performing for you?

You are talking about a double-nat setup. You have to make sure the ranges don't overlap.  Such as your WAN IP may be DHCP, but that won't matter. The LAN and OPT1 ranges will be somewhat important for this, such as LAN might be 192.168.0.1/24 and OPT1 192.168.1.0/24

Then your two NAT devices both need to be yet another range, like 192.168.35.1/24 for the first and 192.168.36.1/24 for the other.

It will work, but double NAT just means a lot more work you are doing anything other than outbound only connections.

id preffer not to have additional nat's in between - specially because of the vpn's

fredg - well it is kinda going towards what u call a hub/switch
yet the intention would be, to still have the possibility to restrict/allow things etc

ive never done a setup like this - only had a network once, where where i had a public subnet on the wan interface and another public one on the lan side, but those where also static ip's i had

if im heading in the rong direction, please correct me 

what deff should be possible, is to be able to connect the monowall to the cable modem and the other 2 routers to the monowall. also offsite vpn (server here is one of the 2 routers), vpn from wan and vpn from lan to lan must be possible (talking bout ipsec and l2tp). what also would be nice is to be able to do individual port mappings on the 2 routers - eg. theres a web server on port 80 on every lan, now i should be able to connect to both over individual wan ip's. appart from that, also very importan is, that i dont want to have to do a port mapping on 2 devices for 1 port 

thnx for your help guys

i think i found something that goes into my direction http://doc.m0n0.ch/handbook/faq-ipalias.html

if i understand the text properly, i need a 1:1 nat with additional proxy arp entries

problem is - how do i assign a proxy arp entry properly for an ip i get over dhcp from the provider?

also, how do i add a 1:1 nat mapping if i get the ip's over dhcp from my provider?

or is there maybe a solution using vlan's?

i think i found something that goes into my direction http://doc.m0n0.ch/handbook/faq-ipalias.html

if i understand the text properly, i need a 1:1 nat with additional proxy arp entries

problem is - how do i assign a proxy arp entry properly for an ip i get over dhcp from the provider?

also, how do i add a 1:1 nat mapping if i get the ip's over dhcp from my provider?

or is there maybe a solution using vlan's?

As far as I know 1:1 NAT only works for static IP address. It's not that you can't manually put those in, but unless you are going to update this every time the DHCP changes, it would be a maintenance nightmare.