News: This forum is now permanently frozen.
linktree m0n0wall Forum  >  m0n0wall Support (English)  >  Firewall/NAT
linktree Topic: NAT'ing all except for individual IPs
Pages: [1]
Topic: NAT'ing all except for individual IPs  (Read 2435 times)
« on: April 29, 2007, 23:58:27 »
maya *
Posts: 2
Hi --

I have a question that I suspect has a simple answer, but I'm not quite sure how to do this. 

We have DMZ and LAN addresses behind our Monowall.  In the DMZ are webservers, mail servers, DNS, etc.  In the Outbound NAT we have something like this:

168.30.0.0/16 *  *   (LAN addresses)
168.33.53.0/24 * * (DMZ addresses)

Our external range of IPs are different and currently our DMZ mail server's email goes out with its IP address the same as the Monowall's IP's. 

If I want to make it such that the mail server's IP is not NAT'ed to the firewall's address and so the world will see it's own unique external IP address, how do I do that?  How do I make an exception for one machine when everything else on that particular class C range is NAT'ed.   

Thanks for the help!
« Reply #1 on: April 30, 2007, 15:19:58 »
HairyMonster *
Posts: 18
http://doc.m0n0.ch/handbook/examples-filtered-bridge.html
HM.
« Reply #2 on: April 30, 2007, 17:41:36 »
maya *
Posts: 2
Thanks for the reply and maybe I'm being dense, but I'm thinking that to do what I want all I need to do is set up a 1:1 NAT for this one particular mail server...?  We have multiple external IPs, which are assigned to various servers in the DMZ -- mail, web, etc.  And inbound NAT works fine with translating the external IP to the internal DMZ address.  My problem only exists with mail going outbound.  Because our mail headers show the hostname of our mail server with the IP address of our Monowall, some receipient mail servers are rejecting our email because the reverse DNS of the mail host does not match the IP address it sees in part of the mail header (the Monowall's IP).  So I want the external mail to report the mail server's actual external IP instead of the Monowall's.  Thinking a 1:1 definition might do that and I can still leave the Outbound rule there for the entire DMZ net to be outbound NAT'ed.   If I define a 1:1 will that override the rule in the Outbound NAT for that one host?
« Reply #3 on: April 30, 2007, 18:47:51 »
HairyMonster *
Posts: 18
Sorry, ignore my previous post - It is I that am being dense.

You'll probably want to specify an outbound NAT for the mailserver such that your 168.33.53.(mailserver) maps to any destination target: (external IP I want mail to appear from)

However, I'm not sure if the more restrictive overrides the less restrictive - perhaps someone else can help?

Because your existing inbound NATs work, I wouldn't bother with a 1:1.

HM.
HM.
 
Pages: [1]
 
 
Powered by SMF 1.1.20 | SMF © 2013, Simple Machines