General Questions

Hello.    I have been working on setting up m0n0wall on my VMware ESX server for a while. I have the m0n0wall VM image and it seems to be running fine on my server, the problem is trying to create a bridge to the WAN.

My situation:  I have 3 NICs on my m0n0wall machine; one to WAN, one for LAN (which is only initally used for setup), and OPT1 acting as a bridge to the WAN. The network is totally closed and private IPS.

The problem: Seems that the bridge to the WAN is not working. I can ping my m0n0wall WAN IP from the WAN and I can ping it from the VMs that are on the bridge, but I cannot ping from my VMs on the bridge to WAN IPs (except the m0n0wall WAN IP like I just stated before.

I wanted to check that is configuration is possible before I burn more time trying to get it to work. Seems like a very simple setup but it does not work. The reason I want this setup over using the LAN is so that I can swap VMs from the WAN and put them on m0n0wall without having to change their IPS, GWs, and DNS entries. Let me know if I am trying to do somehting wrong. I can provide more info if necessary. I just did not want to flood my first post with tons of IPs and everything. I might start working on a diagram to post.

Not sure if this Image will help that much....

Just to point out, we have a physical network with about 30 servers on our "217" subnet and probably 30 more on the whole network.

VM's are Virtural Machines
PM's are Physical Machines
Default gateway for all that are not noted is 96.5.217.250
The Purple cloud is all virtural things.

So to summarize again: Want to use monowall as a filtered bridge in a way that VM's can be moved from the WAN to the bridge without changing any configs on the machines or in DNS.

Thanks..

Hi, this configuration is possible, we have a simalr config up and running, all we did was add the network interfaces into the monowall VM, connected to the relevant VLAN's.

VLAN 51 - WAN
VLAN 52 - Private Range

From there all we had to do was configure the appropriate rules and default gateway/subnet mask, etc on the WAN.

We do however have problems with passing traffic if we Vmotion the PC's in the private Range, I've started a new topic on that. Let me know if you need more help.

For the VM's you have on the bridge; what are their default gateways? The same as the VMs that are on the WAN??

It just seems so simple but just won't work. I can ping the monowall WAN IP from both the VMs on the bridge and on the WAN but I can't get them to propigate any farther.

We are not using any VLANS in the setup. Not sure if that is a problem. The way it seems defining VLANS would be irrelevant because the VLANS are bigger than just the monowall config. I'll try toying with the VLAN configuration.

Using the network I explained earlier our total network is 96.5.0.0
VLAN 217 (96.5.217.0) is where our ESX server is located and our monowall LAN subnet (96.5.218.0) is not a defined VLAN, which I didnt think was necessary.

I'll try the VLAN stuff but if you can think of any other tips I would appreciate it.

Thanks

Hi, the VM's behind the monowall have their default gateway's as the "internal" interface of the monowall, i.e the interface that is on the same subnet as those VM's. So, in your example if your monowall LAN is 96.5.218.0, lets say the monowall interface on that LAN is 96.5.218.254, then that would be the default gateway for VM's on that LAN.

Assuming that the other monowall interface is on 96.5.217.*, let's say it's ip is 96.5.217.1, then the default gateway would also need to be set on this interface to the default gateway for that LAN, let's say 96.5.217.254.

It shouldn't be a problem if you're not using VLAN's that obviously just helps with segregation of traffic,etc.

I have also had this working without VLAN's, we just use VLAN's for segregation.

I'm having the same issue, with an additional problem.  I can't even ping the wan IP from servers on the OPT1 interface.  I got it to respond to ping once, and it quit working and that was the end of it.

I'm using 1.3b18, with the new filtering bridge implementation.  I previously tried doing this on 1.235 and it didn't work either but I forget what the specific problem was.  When I saw the beta completely changed this, I decided to try it.

I have wan bridged to opt1 and I have my firewall rules set open enough to allow traffic through but I can't get anything to ping on opt1.

I also see a new interface has appeared, bridge0, do I need to do anything with this interface to make it work?

Just playing around, I added bridge0 as an interface (opt2) and created some firewall rules on opt2.  I was able to ping the wan IP, then from machines on the op1 bridged interface, but wasn't able to ping the gateway or anything outside the firewall.  I then deleted the bridge0 interface and I'm still able to ping the wan IP, but nothing else.  Weird.

I got the transparent bridge/firewall working under esxi 4.  I assumed the issue was with m0n0wall, but I was incorrect. What I had to do was enable promiscuous mode on both the public vSwitch (vlan) and the private vSwitch in ESX and it worked fine.

This is a great setup because I can run good firewall rules without relying on any of the hosts, without having to do nat or any other kind of routing, and without having to buy a separate hardware firewall like an ASA or embedded m0n0wall device.