General Questions

No, you will only have to add additional NAT rules for the DMZ

Thank's for the feedback! As I understand you, there are several NAT rules(from the DMZ to WAN) required in order to be able to access a cable modem behind m0n0wall from within the DMZ...

Question:
Do you mean 2 NAT's, an (additional) "normal LAN NAT" (interface LAN) and a "modem NAT"  (Interface OUT) ?


Thank you in advance!

John

Not quite sure I understand what you are suggesting.  On the existing setup, you are only adding the NAT rule to get to the DSL modem because you already have a "to any" NAT rule and you need the other one to go to the Modem. It depends on how you set up your DMZ.  If you are using a private range and port forwarding from your WAN IP, you will want to have a NAT rule to get on to the internet and also a NAT rule to get to the DSL Modem. the same as your existing LAN.  If you are using several IP's on your WAN interface with the Proxy ARP, you would have to add the 1:1 NAT rules for the proxied addresses and a separate one for the DSL Modem.  If you have an external subnet routed to you or are bridging the interfaces, I don't think you would require any NAT rules.

This does of course beg the question. Why would you want to access your DSL modem from your DMZ.  By definition a DMZ is untrusted. Giving a machine in a DMZ access to your Modem is a potential weakness in your security.

Hello again,

now everything becomes more complicated because i am going to add an additional m0n0-box (ALIX2C1)
and changing the IP of the old net..


OLD-Outbound-NAT's (just for information)
****************
Interface      ¦   Source   ¦   Destination ¦ Target ¦ Description
WAN   ¦   192.168.0.0/24  ¦  *   ¦  *   ¦ normal LAN NAT
OUT   ¦   192.168.0.0/24   ¦ *  ¦  192.168.1.2  ¦  modem NAT


--------------------------------------------------------------
NEW setup:

-Router: bridge mode
-m0n0:  terminating PPPoE / DynDNS (on firewall1/DMZ)


FireWall2 (internal) (subnet1: WXP-workstations / subnet2: W2K3 ADS / fielserver and DB)
*****************
WAN-IP:   10.0.1.2/24
LAN-IP:   10.0.3.1/24
OPT(?):   10.0.2.1/24



FireWall1 (DMZ) (Mail-server, DNS-server (only for the mailserver)
************
LAN-IP:   10.0.1.1/24
WAN-IP:   ?


Bridge
*****
IP: ?



Questions:

This does of course beg the question. Why would you want to access your DSL modem from your DMZ. 
By definition a DMZ is untrusted. Giving a machine in a DMZ access to your Modem is a
potential weakness in your security.

1.
Hmm interesting, did I forget other important things to consider??

2.
What IP should I assign to the WAN-interface of firewall1(DMZ)?
2.1
What IP should I assign to the interface the Bridge/modem?



Thank you very much in advance for ever feedback/help!


John

Hi John,
Have a look at this.
(http://i232.photobucket.com/albums/ee216/markbarl/Network.jpg)

I think that you will be better off with the 3 way firewall first, as this avoids routing DMZ traffic through your LAN.
The WAN interface of Firewall 1 can be set up as previous to access the modem.  You should be able to sort this.  I would point out the following though to point you in the right direction.

Firewall 1 will require a static route to the 10.0.3.0/24 subnet through 10.0.1.2
On Firewall 1, you will have to check the Static route filtering option in the advanced config screen.

(http://i232.photobucket.com/albums/ee216/markbarl/ScreenShot024.jpg)

On Firewall 2 you will have to enable advanced NAT. No NAT rules are required.
Also on firewall 2 you will have to uncheck the block private networks on the WAN config page.

I would recommend that you set it all up with any to any rules between the local subnets to prove it all works, then start to restrict the traffic.

Good luck.

Hello,

thank you so much for the dia/illustration! It's a big help to understand the setting
(even I still do have some questions...)

I think that you will be better off with the 3 way firewall first, as this avoids routing DMZ traffic through your LAN.
Good luck.

1.
What is the reason that in my suggested setup DMZ traffic would be routed through the LAN ?



Thank you very much for any addtional help!

John

Looking closer, I don;t think you were, though it was a bit difficult without a layout diagram.  Though in your original one, you were actually looking like routing all your traffic through the DMZ which is a recognised way of doing it and perfectly acceptable. However as you had the resources available I suggested the alternative.  In my opinion it is better to have untrusted traffic on an isolated subnet that you can lock down as tight as you need.

Hello again!


I attached the network in order to make the things easier:


1.
Is such an environment possible/recommended with m0n0?

2.
What IP would you recommend for the bridge/modem?



Thank you very much for any additional help!

John

That looks fine.  Static routes to the LAN and OPT1 segments on FW1 will be required, as well as the bypass rules for traffic on same interface in the advanced section.  Advanced NAT enabled on FW2 as NAT is not required there.

With regards to the Bridge modem, I think it is quite cool to use a 30 bit subnet as this gives you 2 useable IP addresses.  It's IP address is not that important as long as it is in a private range.

Thank's a lot for the help markb!

As I understand you corrected the name of the DMZ of FW1(10.0.1.1/24 / extern)
from LAN to OPT1.
That makes sense to me because DMZ is really not a good description for a LAN.


Question
1.
Do you mean by FW1 really the external 2 way firewall (between DMZ and bridge/modem)?

Static routes to the LAN and OPT1 segments on FW1 will be required

On http://doc.m0n0.ch/handbook-single/ 4.3.2 it's written:
Static routes are necessary when you have a subnet behind another router of
any of your internal networks.

Questions:
2.1
What IP for Destination Network and Gateway (to the LAN?)should I use ?
2.2
What IP for Destination Network and Gateway (to the OPT?)should I use ?



Thank's for your feedback and have a nice weekend!

John

Hi John,
I was referring to the 2 subnets behind the second firewall. 
Q1 Yes. It is marked FW1 on your drawing.

Q's 2. FW1 has no information regarding the location of the two subnets behind FW2.  To enable to traffic flow you will have to add 2 static routes to FW1. one for 10.0.3.0/24 and 10.0.2.0/24 both pointing at 10.0.1.2.  There is also a box you will need to check on the advanced page.

(http://i232.photobucket.com/albums/ee216/markbarl/ScreenShot024.jpg)

Did it make sense to you about why to put the advanced NAT on FW2?

Hello markb,

thank's a lot for your helpful input.

Did it make sense to you about why to put the advanced NAT on FW2?

Are you referring to the "modem NAT" and the "normal LAN NAT"?

My idea was that - in order to be able to access the bridge/modem from behind both
firewalls and from all subnets(FW2) - its required to (x) Enable advanced outbound NAT
and add  "modem NAT" and "normal LAN NAT" not only on the 3 way internal firewall2
but as well on the FW1(between DMZ and modem/bridge)...




What is not yet clear to me is the target IP-address of the OUT Interface for the
"modem NAT" (which needs to be be in the same subnet as the DSL modem)...

With regards to the Bridge modem, I think it is quite cool to use a 30 bit subnet as this gives you 2 useable IP addresses.  It's IP address is not that important as long as it is in a private range.

Questions:
1.
What could be a realistic scenario where 2 usable IP addresses would be of advantage?

2.
What IP* would you suggest in this environment (as much I do know, 255.255.255.252
gives 2 hosts/IP in a Class A network) ?




Thank's a lot again, your help is appreciated very much!

John




PS
*Some time in the future I would like to play with the Captive Portal. I don't kow
if it would be wise to consider that fact already today..

[FW1Interfaces]

Hi John,
The OUT NAT and LAN nat only need to be on firewall 1.  NAT is simply a mechanism to enable people to use a private address range behind a router to enable computers to connect to the internet.  This enables the same range to be used over and over on different peoples network.  It became popular in the 1990s when the IPv4 addresses started running out.  It does have some security advantages as it means that all the computers on an LAN are not directly accessible from the internet.  However is means that we have a limitation in incoming traffic and have to set NAT rules.  The general wisdom is where possible don't use NAT as it adds a layer of complication.

With regards to the Bridge Modem IP address I would suggest something like a 10.0.0.0/30 subnet.  This would give you 2 useable IP addresses 10.0.0.1 and 10.0.0.2 (10.0.0.0 is subnet address, 10.0.0.3 is broadcast address) The subnet mask as you said is 255.255.255.252.  Put the modem on 10.0.0.1 and OUT interface to 10.0.0.2.  The reason for this, is that this restricts any one from plugging directly into any other ports on the modem.

In your scenario, you want to use FW1 as a NAT, Firewall router. and FW2 as a Firewall router. I would set something like this.

FW1
Interfaces
WAN - PPPoE
OUT - 10.0.0.1/30
LAN/DMZ - 10.0.1.1/24

Outbound NAT
Enable Advanced NAT and add Outbound NAT rules for
OUT
LAN/DMZ
Office Network (10.0.3.0/24)
Server network (10.0.2.0/24)
Static routes as previously described.
Bypass rules checked as previously described.

Inbound NAT]
SMTP for mail server.

Rules
On WAN
Allow SMTP to Mail server
?Allow DNS in if you are hosting your own domain DNS server
Block All

On LAN
Allow SMTP out from Mail server
Allow DNS out from DNS server
Allow all from Office Subnet
Allow all from Server Subnet
Block All

FW2
Interfaces
WAN - Static 10.0.1.2/24
LAN - 10.0.3.1/24
OPT1 - 10.0.2.1/24

NAT
Outbound. Enable Advanced NAT. No NAT required.

Rules

WAN
This very much depends on how you configure your DMZ servers.  You need to allow the DMZ stuff  in on the ports they need to specific locations (I.E. for contacting the domain) then Block all from DMZ.  Remember a DMZ needs to be treated as untrusted.

LAN
Here you need to add the rules for accessing the server subnet, DMZ and accessing the internet.  Personally I would not just put in a blanket allow to all.  Be specific, this increases your security.  Only allow access to the ports on the DMZ servers that are absolutely necessary and then add a block to DMZ rule.

The rules are where you secure your network.  Not just against outside attack but also against internal compromises.  Not that necessarily the users will try to circumvent your security, but it will make it harder for other malicious software.

Hope this helps.

[Outbound NAT]

Hello markb,

thank you very much for the detailed informations! I really appreciated them and
hoped that from now on i would be able to configure m0n0 without addtional help.
But that's not yet the case...

Ok, the situation now is that I addedd the <opt1> for OUT to the *.xml config file.
(see screeshot "firewall2-extern__OUT__20090121") and the 2 outbound NAT's
("modem NAT" and "normal LAN NAT" exactly as i did in the first config in 2008.
(see screeshot "firewall1-extern__NAT--Outbound__20090121")
but nevertheless the modem(10.0.0.1) cannot be pinged/accessed from the DMZ/LAN.
(see screenshot "ping-to-fw1-and-modem_20080122")

As I understand this should be possible with the config steps i previously did...

Question 1:
Is this not the case or did I make a mistake?

Outbound NAT
Enable Advanced NAT and add Outbound NAT rules for
OUT
LAN/DMZ

Question 2:
Are those the 2 Outbound NAT's I did already before?

Outbound NAT
Enable Advanced NAT and add Outbound NAT rules for
Office Network (10.0.3.0/24)
Server network (10.0.2.0/24)

Question 2.1:
Could you please give me a hand how to do that?



Thank's again very much!

John

[Outbound NAT]

Ok I understand that I should have asked much more precise...

Outbound NAT
Enable Advanced NAT and add Outbound NAT rules for
Office Network (10.0.3.0/24)
Server network (10.0.2.0/24)

Ok as I understand, I should add a NAT on FW1 from/Source: (10.0.3.0/24  // Office Network)
(and the same for Server network (10.0.2.0/24) to the WAN-IP (of FW1/extern).
But I don't know what IP to take.. probably the IP 10.0.0.1 of the modem/bridge?

In addition I am confused because under "Firewall: NAT Edit outbound mapping"
I can only find the WAN- and OPT interfaces and not as expected a LAN(DMZ)-
interface as well (pls see screenshots).

Outbound NAT
Enable Advanced NAT and add Outbound NAT rules for
OUT
LAN/DMZ

Question 2:
Are those the 2 Outbound NAT's I did already before ("modem NAT" on if OUT and "normal LAN NAT on if WAN?


Thank's a lot in advance for any additional help.

John

Ok as I understand, I should add a NAT on FW1 from/Source: (10.0.3.0/24  // Office Network)
(and the same for Server network (10.0.2.0/24) to the WAN-IP (of FW1/extern).
But I don't know what IP to take.. probably the IP 10.0.0.1 of the modem/bridge?

These are the NAT mappings to allow your Office network and Server network to get to the outside world.  You will not see the LAN interface here as you are dealing with traffic leaving the Monowall (It always assumes that the LAN interface is on a private network else why would you want NAT.)  You will need an

Interface: WAN
Source: 10.0.3.0/24
Destination: Any

also a

Interface: WAN
Source: 10.0.2.0/24
Destination: Any

and a

Interface: WAN
Source: 10.0.1.1/24
Destination: Any

These 3 NAT rules will allow all your subnets to access the internet.  You  control the access with rules but you need the NAT i place to enable the routing to work.

You will also need to add NAT rules for any networks that want to be able to access the Bridge Modem.  you could even lock it down to a single machine if you wanted.

These rules would be something like
Interface: OUT
Source: 10.0.3.0/24
Destination: Any
Target: 10.0.0.2/30

I emailed the address in your profile and suggested that you send me a copy of the config files for both firewalls to look at (Edited to remove any passwords/public IPs etc)  These are the files you get when you backup the config.