General Questions

Hello, I am running ver 1.3 and I would like to buildout a logical DMZ and have that DMZ share the same NIC as my LAN.
very similar to what is detailed in section 13.1 of the manual
http://doc.m0n0.ch/handbook-single/#id11642784

However, when I go to the interfaces tab, I dont have a way of adding a 3'rd virtual interface.

So what I was thinking I would do, if possible (and I cant seem to get it to work) is:
Add an additional IP to the LAN NIC, maybe by NATing a second IP to the LAN interface
Place that Nat'd IP and the DMZ server into their own VLAN
Add the appropriate FW rules to allow that DMZ server outbound communication

Then my next concern would be how do I isolate, beyond using VLANs, the DMZ server from trying to communicate inbound with the LAN systems?


Knowing my personal demons I suspect I have overthought this issue entirely.
Please let me know of a better way to do this if one exist.

Well, for starters, what reason(s) do you have for not just adding another NIC?

I could place another NIC in the system, but prefer not to, I am using an old PC and it only had 3 available slots.
So I occupy a slot for LAN, a slot for WAN, and I wanted to reserve the 3rd slot for a wireless card when the core is moved to v6.

So if I add a 3rd NIC now I'll just be pushing my troubles out to a later date.

Well, there are multi-port NICs. But given their expense, the money would be better spent on a motherboard with more slots of the type you need.

Two-port (dual-port) NICs are ready available on Ebay for very little if you search a bit. I've bought dual-port Intel nics off Ebay over the years for less than $10.

I quick search for "dual-port"  found the following for $5 ($10 buy it now). The shipping will cost more than the dual-port NIC. This is a gigabit server NIC which you probably don't need:
  http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=280450203679
Another one:
  http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=390143111111
Another one:
  http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=290391179098

Creating a DMZ with two separate network interfaces becomes simple. Each interface is then isolated and can have completely different rules.

-msbaker

all those ebay nics are 64 bit PCI for server class hardware.

Roy...

Just search for "intel pro 100 dual" on ebay. You'll probably get this too late, but here is a listing for 5 dual PCI NICs for $20.
  http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=280451886958

A couple single ones for $20
  http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=300388271069
  http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=370320061480

There are a bunch of compaq dual 10/100 NICs for sale on ebay from $5-$10 each. Many of these are Intel NICS with a Compaq part #

With EBay, sometimes you have to watch a week or two for specific items to be listed at reasonable (cheap) prices. There are always some folks that try to sell this stuff for 10 times what it is worth.

You can see the same items listed for $200 too. Rather ridiculous for this old stuff.

-msbaker