Firewall/NAT

Hey all,

Im a little stuck on how to get this done so hopefully you will all be able to help me out.

My data center routed me 6 additional ip address that i can use and did not provide me a gateway. Currently im using the old gateway which is on a different subnet all together and im looking to make things a little more standard.

so....

the current gateway is x.112.115.97
my mono wall has a public ip address of x.112.115.101
my mono wall has a 'lan' ip address of x.12.18.121

the subnet that was routed to me is x.12.18.121-126

I have a windows box with ip address x.12.18.123.

Im looking to have the windows box use the mono box as it's gateway for all internet traffic, and pass everything along to x.112.115.97.

I have done the following.
Setup the public ip addres and 'internal' ip address.
My windows box can ping the mono wall's internal ip address and the mono wall's public ip address.  But that's where data stops at this point.

Any suggestions?

I have a windows computer that has an i

as an update...  I managed to be able to move data to my router and i am now able to ping www.google.com and do dns looksups.

However..  I unable to browse the internet.

im looking in the firewall logs and im seeing that packets are getting blocked on port 80...  but yet i do not see any rules saying other wise.

also unable to ping the server from the internet

Hi you have been allocated a /29 subnet by your data centre.  This gives you the 6 IP addresses.  They will be routing these IP addresses to the External IP address of your router.  From your description, I think that they are intended for a separate subnet, which is why you have been given no gateway as your router would be the gateway. I would suggest that the easiest and safest way of using these would be to set up a DMZ on a third Interface, otherwise you would only have 6 IP addresses on your LAN.  Assign one of the IPs to the DMZ interface it will have a 255.255.255.248 subnet mask ( /29 if selecting by bits) then enable Advanced NAT.  You will need to manually create the NAT rule for your LAN and will not require any for your DMZ.  You then have 5 remaining IPs to use in your DMZ.  They will point to the DMZ router interface as their gateway.

Once you have these, in place you will need to set up your rules.  Allow the traffic as you need to and from the subnets.

Hope I have understood what you were asking.  Good luck.

why a DMZ?

If i had a some Cisco gear in this rack it would be much more simple but sadly it's all virtual.

I just need mono wall to act as a router, put arp information to the data centers core router so it routs through my mono wall when doing trace routs from the internet.  It should be simple but since the examples section of the mono wall docs seams to be a little vague when it comes to 1:1 nat I'm lost as to how to make this happen.

internet was made to work correctly by killing all nat rules.

however im still unable to ping or trace route to my server from the internet.

Seems to me you can just use m0n0 like any other router would be used for this purpose.

m0n0:

WAN IP: x.112.115.101
WAN Netmask: Unknown - insufficient data provided.
WAN Gateway: x.112.115.97

LAN IP: of x.12.18.121
LAN Netmask: 255.255.255.248 (/29)

Network:

LAN machine usable IPs: x.12.18.122-126. Connect m0n0 LAN port to a 5 or more port switch.
LAN Netmask: 255.255.255.248
LAN Gateway: x.12.18.121

No NAT needed or used.

yes that's how it's currently setup.

but presently my data center has x.112.115.100 as the next hop for my x.12.18.x subnet.  Trying to get them to change it to x.112.115.101 now and hopefully it will make ping and tracert's work.  :-)

why a DMZ?

If i had a some Cisco gear in this rack it would be much more simple but sadly it's all virtual.

I just need mono wall to act as a router, put arp information to the data centers core router so it routs through my mono wall when doing trace routs from the internet.  It should be simple but since the examples section of the mono wall docs seams to be a little vague when it comes to 1:1 nat I'm lost as to how to make this happen.

I only said that a DMZ was simplest because the data centre is forwarding a subnet to you.  Proxy ARP should work, but it is more complicated since you will also need to set up the 1:1 NAT.

Proxy ARP plus whatever NAT configuration you want to use is all you need.

at this point i can all but two ip address to work.

I think it's a datacenter issue and not an issue on my end.

basically i setup m0n0 wall to defaults,  assigned network cards and setup lan ip address. Change fire rules to allow on both lan and wan, checked the Enable advanced outbound NAT box, set the lan ip address and it all seams to be happy now.  :-)