m0n0wall Forum - M0n0 with 8 WAN-IPs & DMZ & NATed LAN: no-go....

Afer using M0n0wall for myself over 3 years i want to set up a firewall for a friend.

He has:

8 static IP's (/29, IP's 201-206)
.201 used by ISPs WAN-Router
.206 used by M0n0wall
Servers in the DMZ should use the static IPs assigned from the ISP

In the DMZ (OPT1-Interface) there are one Mailserver and one WWW-Server with IPs .204 and .202.

Surfin' the Net should be possible from the LAN-Interface.

I am using the latest M0n0wall (1.231) on a CF-card.

So far i have done the following:

- configured the Interfaces:

   <interfaces>
      <lan>
         <if>xl1</if>
         <ipaddr>192.168.200.254</ipaddr>
         <subnet>24</subnet>
         <media/>
         <mediaopt/>
      </lan>
      <wan>
         <if>fxp0</if>
         <mtu>1500</mtu>
         <blockpriv/>
         <media/>
         <mediaopt/>
         <spoofmac/>
         <ipaddr>XXX.157.91.206</ipaddr>
         <subnet>29</subnet>
         <gateway>XXX.157.91.201</gateway>
      </wan>
      <opt1>
         <if>xl0</if>
         <descr>DMZ</descr>
         <ipaddr>XXX.157.91.1</ipaddr>
         <subnet>24</subnet>
         <bridge/>
         <enable/>
      </opt1>
   </interfaces>

- configured 1:1 NAT:

      <onetoone>
         <external>XXX.157.91.202</external>
         <internal>XXX.157.91.202</internal>
         <subnet>32</subnet>
         <descr>1:1 NAT for Webserver</descr>
         <interface>wan</interface>
      </onetoone>

Proxyarp is present as well:

   <proxyarp>
      <proxyarpnet>
         <interface>wan</interface>
         <network>XXX.157.91.202/32</network>
         <descr>NAT 1:1 NAT for Webserver</descr>
      </proxyarpnet>
   </proxyarp>

And, of course, added the Firewall-Rules ;-)

But it does not work as it should....

Symptoms:

Surfin' the NET from PCs on LAN is OK
Access from LAN --> DMZ does not work
Access from WAN --> DMZ does not work
Access from DMZ -> WAN does not work

I have already testet with other IPs / Subnets on the DMZ-Interface -> no luck...

Is it REALLY so that two Subnets are necessary - one on the WAN-Side and another on the DMZ-Side (with the Interface-IPs being in this subnet)?

Or is there another solution that i did not realize?

(BTW, M0n0wall works GREAT on MY Setup - with WAN-interface beeing xxx.xxx.xxx.206/29 and the DMZ-Interface xxx.xxx.xxx.129/24. Default-GW of the Server in the DMZ is M0n0wall's DMZ-IP. Our ISP assignes us an IP-Space from XXX.XXX.XXX.128 - XXX.XXX.XXX.207)

Could anyone please point me in the right direction (or could tell my why it does'nt work)??

Thanks a lot!

Thomas