News: This forum is now permanently frozen.
linktree m0n0wall Forum  >  m0n0wall Support (English)  >  Firewall/NAT
linktree Topic: Starting with M0n0
Pages: [1]
Topic: Starting with M0n0  (Read 2035 times)
« on: May 07, 2007, 15:29:37 »
dirkb *
Posts: 15

(internet)----router----(WAN)-MONO-(lan)-172.22.150.xx
                                                  -
                                                  (dmz)--212.x.y.z (internet range)

I have enough "real" IP addresses in the DMZ for each system that will be active within the DMZ.

What I'm trying to do is:
 * when LAN goes to INTERNET, it will get the MONO IP (via NAT)
 * when DMZ goes to INTERNET, it will use it's own IP (NOT NAT)

Is this possible?
And if so can someone give me a rules/nat example for it?
(if you can add within the example the possibility for someone from the INTERNET to access a system in DMZ on port <something> that would be great :-))

dirk.



 
« Reply #1 on: May 08, 2007, 07:16:50 »
cmb *****
Posts: 851
Assuming you have a full routable subnet for your DMZ interface, that's possible. Your ISP will have to route that subnet to your WAN IP. What you'll want is a /30 subnet for your WAN, and the other subnet for the DMZ.

You'll need advanced outbound NAT to not NAT (see FAQ) and a custom outbound NAT rule for your LAN.

To allow in traffic from the Internet, put appropriate rules on your WAN interface.
« Reply #2 on: May 08, 2007, 08:33:14 »
dirkb *
Posts: 15
Is it possible to give a few examples? (maybe a couple of screenshots?)
Or if anyone is interested in a "small" project on Rentacoder to make such a config for me (and explain what the rules are for, so I can extend) that 's fine for me too.
« Reply #3 on: May 08, 2007, 16:25:24 »
clarknova ***
Posts: 148
Example, adapted from a similar setup I'm running, as per my earlier thread in this section:

I have public IP addresses x.x.x.0 - x.x.x.32 (/27) using gateway x.x.x.1

WAN is x.x.x.2/30

OPT1 is x.x.x.17/28 (clients on OPT1 can be x.x.x.18 - x.x.x.30 using x.x.x.17 as gateway)

[You'll notice that this leaves a gap of unused addresses from x.x.x.4 -- x.x.x.15. This was necessary in my case because I only have the one subnet to work with. If you have any two separate subnets for WAN and OPT1, go for it.]

Create static route for OPT1 x.x.x.0/27 (/28 would make more sense to me, but my situation is a little different from this example and /28 didn't work, so I had to go with /27)

Firewall rules to allow traffic to/from OPT1 x.x.x.16/28

Advanced outbound NAT enabled with an entry for LAN subnet

Proxy arp on WAN for x.x.x.16/28 if necessary

db
 
Pages: [1]
 
 
Powered by SMF 1.1.20 | SMF © 2013, Simple Machines