Firewall/NAT

Hi,

I have two servers that are currently residing on my lan, and I am intending to move them into a DMZ so that I can have lan access to them, and limited access from the internet.  I've followed the example configuration in the Monowall documentation. (http://doc.m0n0.ch/handbook/examples.html#id11577634)  For the moment, I've just placed my laptop in the DMZ a mock server to test connections.  Things are looking pretty good so far.

I can reach my laptop from the internet, I can also go from my laptop to the internet.  The connections to anything other than my company's DNS are blocked from the laptop to the LAN.  And, with a little configuration, I can get from the LAN computers to the laptop in the DMZ.

Here's my problem.  My lan is 10.35.XXX.XXX, and my DMZ is 192.168.128.XXX.  Both use 24 bit subnet masks.  If I set a static route on my desktop machine I can go through the firewall and ping computers on the DMZ.  However, if I don't do any special configuration, I can't get to my DMZ from the LAN.

I have two servers to move, both have static IPs on the lan.  What I'd like to do is move them into the DMZ and create NAT rules for monowall, so that if anyone connects to the servers' LAN IPs, they'll be routed to the DMZ IPs.  I figure to do that, I'll have to assign multiple IPs to the LAN interface on the monowall, and set up two new NAT rules.  The problem is, I can't find a way to do ether of those.

So, is there a way to do what I want, or is there a simpler way to implement this?  I don't have permissions to change either our DNS or our router's tables.

Thanks.

-Max

I think that you are describing the old problem of not being able to access NAT'd services from the LAN using the external DNS name.  More reading can be found here  The crux of the issue is that the DNS will resolve the server name to your external IP address. The simplest way to get round this, is to put in a separate DNS entry in your internal DNS (On the Mono box if you are using it's DNS forwarder) that resolves to the internal IP address of your box on the DMZ.

That's sort of the idea, but not quite.  Really I think I'm asking more of a routing question than anything else.  Perhaps I'm overstating the problem.

My two servers that are going into the DMZ have IPs and are on my LAN right now.  When I move them to the DMZ they'll get new IPs.  How can I access them, in the DMZ, from the LAN and continue to use their old DNS information.

That is, can I have monowall listen for connections on the two old LAN IPs, and forward that traffic into the DMZ?

Maybe that's a better way of stating things.

My problem at this point is pretty close to solved.  I ditched the traditional DMZ setup and decided to set up a filtered bridge instead.  This way I don't have to worry about adding extra IPs or anything like that.  I bridged OPT1 and my LAN together, and now I can just place my servers on the OPT1 side, and leave their IPs alone.  (Not to mention DNS entries)

Anyway, thanks to markb and all those who looked at this.

-Max