[ previous ] [ next ] [ threads ]
 
 From:  Kanwar Ranbir Sandhu <m3freak at rogers dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [Bulk] RE: [m0n0wall] Re: [Bulk] Re: [m0n0wall] Configuration for VLANs an multiple WANIPs
 Date:  Mon, 24 Jan 2005 15:07:17 -0500
Hi Keith,

On Mon, 2005-24-01 at 10:50 -0800, Keith Redfield wrote:
> I don't believe you can actually assign multiple WAN IP's, but you can
> do 1:1 NAT to multiple IP's on the WAN side (sorta critical
> difference).

Well, the docs say that m0n0wall can't actually be assigned mulitple WAN
IPs, but it can be made to accept packets for additional IPs.  Here's
the info:

http://m0n0.ch/wall/docbook/faq-ipalias.html

That's what I'm basing my assumptions on for the VLANs.
 
> If these IP's are coming from differend ISP's (multiple DSL's), you've
> got a martianed hub problem. You might want to consider migrating to
> one of the hotbrick-like multiple WAN devices, and then not use any
> NAT on m0n0.

The public IPs will come from the same ISP, and will probably be an
entire subnet.

> You create the VLAN's off the LAN interface (or multiple LAN
> interfaces)

That's what I thought.  Thanks.

> m0n0wall by default automatically performs NAT on all the internal
> interfaces
> - you need to use the advanced NAT tab to modify this setting. 

Yes.  Again, this is why I've been assuming that what I want to do
should be possible.  The page I linked above says, under Routing:

-- start --
You can use this if you have an entire subnet of public IP addresses
(with m0n0wall's WAN IP address not being in that subnet!).

Example: you have several servers connected to an optional interface
(let's assume OPT1). 

[SNIP]
Turn on advanced outbound NAT and define a rule for your LAN, but not
for OPT1. This will effectively disable NAT between WAN and OPT1. Now
you can add filter rules to selectively permit traffic to/from OPT1.
--end--

So, in the scenario I presented, the OPT1 interface would actually be a
VLAN (say VLAN 1). Again, this is why I'm assuming it should work.

> You'll need a somewhat pricey trunking switch to distribute the
> VLANs. 

Yeah, they're on the pricey side all right, but it's not me who would be
purchasing it. :) Besides, the business centre would be able to offer
improved services to its clients, so it wouldn't be a hard sell.

> On the interface you don't want NAT on, you've got a challenge - the
> only option I can think of is bridging, which a) I'm not sure is
> supported per-VLAN and b) just bothers the heck out of me.

I don't think I would have to bridge, at least not according to the
docs.  However, I already tried bridging and only one bridge can be
setup with the WAN interface (makes sense...still sucks though).

> What you've described is essentially what my compamny does. If you
> would like to reply private I can give you more details [not a sales
> pitch] for a way to do it fairly cheap w/o the trunking switch.

Thanks for the offer.  I'll be in touch. 

I have another design in mind:

                Internet
                   |
                 Modem
                   |
             Hub/Cheap switch ---------Firewall
             |          |              (Public IP)
	  Firewall    Firewall               \    
         (Public IP)   (Public IP)           Business
             |             |
          Switch         Switch
         /| | | \          |
         Businesses      Business Centre
	   
If that makes it to the list properly, the business centre will be able
to partition the network so that some of the businesses share a public
IP (as they do now), others can have their own public IP (with
everything after the connection to their hub/switch being up to the
individual business), and finaly a third public IP for the business
centre itself.

Only issue is that more hardware is required, although overall it is a
cheaper solution.  Also, the business centre wants to upgrade their PBX
to Asterisk, and it will have to sit on the LAN that all of the
businesses are attached to.  Businesses connected at the hub/switch will
have to be interconnected to the "Asterisk" LAN in order to use it
(shared receptionist amongst all of the individual businesses).  The
interconnection is necessary because unfortunately, each office only has
one Cat5 connection.  As you can see, it ends up being a little ugly.

The VLAN solution is much more elegant.

Anyone else have any experience/input on this?

Regards,

Ranbir
-- 
Kanwar Ranbir Sandhu
Linux Consultant
Systems Aligned Inc.
www.systemsaligned.com