Firewall/NAT

I am trying to segregate two Windows XP clients in such a way that they can continue to access the internet but not my LAN.  However, I still need to allow Remote Desktop access to the XP clients from my LAN.

My thought is to put a M0n0wall in with its WAN on my LAN, then put the two clients on the LAN side of the MW. 

So far, I have:

     {ISP}--{PIX}--{my lan}--{MW}--{2 x XP}

The MW WAN is 192.a.a.10/24, the MW LAN is 10.b.b.0/24.  I have so far tried to put in a rules to:

  - block/reject source 10.b.b.0/24 to 192.a.a.0/24 on LAN
  - accept 192.a.a.0/24 to 10.b.b.0/24 on WAN

Neither of these have helped.

Has anyone get any ideas?

J.

Read the M0n0wall Handbook section on DMZ.

Put the two XP clients in the DMZ.

Add rules blocking these DMZ clients from LAN access.

Add rules allowing these DMZ clients WAN access.

Add rules allowing LAN access to the DMZ clients, perhaps only on the required port or ports needed for remote desktop.

Thanks, but I don't think that will do it.  The M0n0wall is not the default gateway for my LAN, it is merely a device in between my LAN and the two XP clients.

As such, the MW's WAN interface is a (DHCP) client in my real LAN (and so has a 192.a.a.x address) and the XP clients are on the LAN side of the MW. 

I've attached a diagram if it helps.  It shows the current setup and the initial direction of traffic/access that I need (obviously, replies in the reverse direction are required too).

J.

I don't see any reason you can't accomplish what you want by rearranging things along the lines of what is offered in the Handbook.

Because I'm not in the habit or rearranging my core LAN on a whim. 

That, and the M0n0 is not a physical unit.  The M0n0 is a virtual machine, as are the XP clients in question. 

The M0n0 VM has two (virtual) NICs, one of which points to the external facing (physical) NIC of the host; the other to an virtual switch that is internal to the host.  The clients have one NIC each, which point to the same virtual switch.  The M0n0 is the default gateway for the XP clients and, currently, the XP clients can see the internet via the M0n0. 

I think I have worked it out as far as I need to.  I have added the following inbound NATs:

If	Proto	Ext port range	NAT IP	Int port range
WAN	TCP	50050	10.b.b.50	3389
WAN	TCP	50051	10.b.b.51	3389

and the following rules:

If	Type	Proto	Source	Port	Destination	Port
WAN	Pass	TCP	*	*	10.b.b.50	3389
WAN	Pass	TCP	*	*	10.b.b.51	3389
LAN	Block	*	LAN net	*	192.a.a.0/24	*
LAN	Block	*	LAN net	*	192.c.c.0/24	*
LAN	Pass	TCP	*	*	10.b.b.51	3389

(where 192.a.a.x is my physical LAN and 192.c.c.x is a VPN LAN that I didn't want them to be able to access).

I had hoped to avoid putting in a block rule for every VPN I don't want the two clients to access, so I first tried setting a static route for all traffic to go to the default gateway of the PIX on the physical LAN (i.e. attempting to bypass the routing that PIX would do) but for some reason, that only allowed me to see the default gateway and no further.  So I've just bitten the bullet and added the 18 VPN LAN block rules.

For sanity, if there is a better way, I'd love to hear it.

J.