Asashi Dot Net Logo

How-to have a public IP DMZ with m0n0wall

Suppose you've got this subnet from your ISP:
this gives you 62 hosts from x.y.z.129 to x.y.z.190 with 128 as network and 191 as broadcast
To see try:

$ ipcalc

Given that x.y.z.129 is your router and thus the default gateway for your m0n0wall your WAN configuration will look like this:

wan config

So set a WAN IP like this x.y.z.131/26 with x.y.z.129 as default gateway
i used x.y.z.131 to have a single IP (x.y.z.130) to use a machine as an honeypot/test OUTSIDE m0n0wall

Done this you need to activate your optional interface and put it in bridge with WAN.

wan config

A big note here: you MUST activate "filtering bridge" from "System: Advanced setup"

wan config

Now the 10 cent tip:
from m0n0wall documentation it's stated that you can't directly talk from a natted interface with a bridged one, this is true. But you can always tell m0n0 to NOT NAT from LAN to DMZ, so go to "Firewall: NAT: Outbound" and check "Enable advanced outbound NAT"
Click SAVE and enter your mapping as in the picture below:

wan config

It is:

Interface: WAN
Source: (your LAN space)
Destination: NOT x.y.z.128/26 (your DMZ subnet)
Target: * (any)
Description: put your own here...

SAVE your work and Apply Changes as usual

Done! Now you can add your rules from LAN to DMZ and from WAN to DMZ as you want and you can land on your DMZ without and "Internet tour"