Resolved

Using generic-pc-1.31.img on a VIA EDEN mini-ITX PC.

Running a no-NAT setup with an ADSL modem (not a router):-

    WAN = PPPoE (fxp0)      (IP assigned by PPP)  -> Draytek Vigor ADSL modem.
    LAN = vr0                     217.x.x.x/27             -> Private network clients etc.
    DMZ = OPT1 (fxp1)         81.x.x.x/28             -> Public HTTP, SMTP, VOIP servers.

The LAN interface works OK: full web access outbound from my laptop.

The DMZ interface has big problems!  I can access the DMZ servers from the LAN interface, but not from the Internet.

There's a WAN firewall rule to let traffic into my web server on 80/TCP, and sure enough TCPDUMP on the web server shows the initial TCP SYN frames coming in, and SYN ACK frames going out.  But the TCP session is never established, so the web server never sees the HTTP request.  The firewall seems to be dropping the reply frames from the web server.

Has anyone successfully used a no-NAT setup, with a PPPoE link for the WAN, and a web server DMZ on OPT1??  Perhaps this is an unusual combination??

I am fairly confident of the infrastructure configuration, as I've simply copied the addressing and ruleset from a working pfSense installation, in the hope of switching to Monowall for its IPV6 support.

Thanks for any help!

- Martin.

SOLUTION: For a No-NAT setup, see "Firewall: NAT: Outbound" and tick the box "Enable advanced outbound NAT".  Ticking this box disables NAT (provided that you don't enter any NAT mappings).

The user interface is rather confusing here. Perhaps it would help to add an explanation about No NAT mode to the "Firewall: NAT: Outbound" screen, and also perhaps a note on the status screen, to report when NAT is enabled without any mappings.

- Martin