Re: [Bulk] Re: [m0n0wall] Configuration for VLANs an multiple WAN IPs

From:	Kanwar Ranbir Sandhu <m3freak at rogers dot com>
To:	Chris Buechler <cbuechler at gmail dot com>
Cc:	m0n0wall at lists dot m0n0 dot ch
Subject:	Re: [Bulk] Re: [m0n0wall] Configuration for VLANs an multiple WAN IPs
Date:	Mon, 24 Jan 2005 12:36:36 -0500
On Mon, 2005-24-01 at 02:08 -0500, Chris Buechler wrote: 
> On Sat, 22 Jan 2005 16:03:17 -0500, Kanwar Ranbir Sandhu
> <m3freak at rogers dot com> wrote:
> >
> > I want to setup VLANs 1 and 2 on the LAN interface of m0n0wall, sharing
> > Public IP 1. VLAN 3 has to be assigned Public IP 2.
> > 
> 
> So the hosts on VLAN 3 are going to be assigned public IP's within the
> subnet of public IP 2?  I'm confused on what you're trying to
> accomplish.

That's what I get for trying to keep the post short. :)

Backgrounder:

- I just moved into an office located in a business centre (business
centres provide very affordable, fully furnished office space plus other
services, without the "tenant" having to sign a lengthy lease).  
- The business centre has 19 offices, so that means there could possibly
be 19 independent businesses (some businesses might take more than one
office).
- At the moment the net connection is a DSL line, which is being shared
by every business:

Internet  (1 dynamic IP, can't get more)
   |
DSL modem
   |
SOHO router (e.g. Linksys)
                           |
Switch
                         / \ / \
                        1  2 3  4   etc.

- This is bad:

1) Flat network, therefore no security
2) Businesses can't host their own servers (at the moment, only
           me)

- This is good:

1) Some businesses don't care
2) Makes it easier for the business centre to provide Internet
   services

So, in order to improve my situation, I want to improve the network
design in the business centre.  I've had a number of ideas, one of which
was setting up VLANs to separate the networks. Another person at the
Fedora mailing list made the same suggestion. Here's what he wrote:

--- start ---

Internet
  |
DSL Modem or Internet Router
  |
Firewall----Tenant-2
  |
Tenant-1

Firewall each tenant from the other tenants.  Give each tenant a
different RFC 1918 address range.  Use a Switch capable of trunking,
and a Ethernet card capable of trunking in the firewall to allow
multiple  VLANs on one physical connection.

--- end ---

Enter m0n0wall.

Back to my original question.  Here's what I want to do with m0n0wall
for the business centre, but I'm not sure if m0n0wall is capable:

1) Set up, say, 10 VLANs (I know m0n0wall can do this).
2) 8 VLANs will receive essentially the same Internet service they have
   right now, so they will be NATed with one public IP.
3) 1 VLAN must be NATed as well, but use a different public IP.
4) 1 VLAN must not be NATed, but use a different public IP.  NATing etc.
   would be left up to the business (mine, for example) within their   
   own office.

That's a total of 3 public IPs, perhaps growing to more as need arises.

So, in that scenario, can m0n0wall support multiple WAN IPs for VLAN
interfaces, and do NAT for some, but not for others?  I've read the docs
and I know that m0n0wall can handle multiple WAN IPs.  I just can't tell
if this is possible with VLANs.

I've already played with m0n0wall a bit, but my confusion stems from:

1. Not knowing which interface (i.e. WAN or LAN) to use as a parent for
   each VLAN (I'm fairly sure it's the LAN, though...it makes sense)
2. Not knowing if in m0n0wall a VLAN can be assigned a public IP (I can
   type it in, but I don't know if it will work)

I hope that I've given you enough info to see what I'm trying to
accomplish.  At first glance, m0n0wall appears capable of supporting the
above.  I just don't have enough experience with m0n0wall to know for
sure.

Thanks in advance.

Regards,

Ranbir
-- 
Kanwar Ranbir Sandhu
Linux Consultant
Systems Aligned Inc.
www.systemsaligned.com