Well I gave a reasonable amount of time for someone else to jump in but I guess you're stuck with me
Well there is another option if you have an entire range of contiguous addresse or a real subnet,
and that is to mess with the mask and create multiple subnets off that (supernetting I think it's
sometimes called) - that would eliminate the bridging problem. Not sure if m0n0 would like it
>>Well, the docs say that m0n0wall can't actually be assigned mulitple WAN
>>IPs, but it can be made to accept packets for additional IPs. Here's
right, and [one of] the method outlined is 1:1 NAT ;)
>>You can use this if you have an entire subnet of public IP addressess
>>(with m0n0wall's WAN IP address not being in that subnet!). <<--This is important
I'm not sure why you think you can get away with not bridging unless the above is true (and if it is
I want the name of your very nice ISP ;) But with an entire subnet supernetting to the VLAN's should
work to allocate the IP address space. Using the automatic NAT (which is really PAT I guess) for the
general subnet and true NAT (1:1) for the other. The bit in the manual about turning off NAT
presumes that you are now going to route between *2* subnets OPT1<->WAN, or use bridging.
But if it were me I would just think hard about why having the no-NAT subnet was important and
probably split just that piece off because that is really what's complicating things. The rest of it
should work through m0n0 just fine. So a hybrid of your 2 designs.
From: Kanwar Ranbir Sandhu [mailto:m3freak at rogers dot com]
Sent: Mon 1/24/2005 12:07 PM
To: m0n0wall at lists dot m0n0 dot ch
Subject: [m0n0wall] Re: [Bulk] RE: [m0n0wall] Re: [Bulk] Re: [m0n0wall] Configurationfor VLANs an
On Mon, 2005-24-01 at 10:50 -0800, Keith Redfield wrote:
> I don't believe you can actually assign multiple WAN IP's, but you can
> do 1:1 NAT to multiple IP's on the WAN side (sorta critical
Well, the docs say that m0n0wall can't actually be assigned multiple WAN
IPs, but it can be made to accept packets for additional IPs. Here's
That's what I'm basing my assumptions on for the VLANs.
> If these IP's are coming from differend ISP's (multiple DSL's), you've
> got a martianed hub problem. You might want to consider migrating to
> one of the hotbrick-like multiple WAN devices, and then not use any
> NAT on m0n0.
The public IPs will come from the same ISP, and will probably be an
> You create the VLAN's off the LAN interface (or multiple LAN
That's what I thought. Thanks.
> m0n0wall by default automatically performs NAT on all the internal
> - you need to use the advanced NAT tab to modify this setting.
Yes. Again, this is why I've been assuming that what I want to do
should be possible. The page I linked above says, under Routing:
-- start --
You can use this if you have an entire subnet of public IP addresses
(with m0n0wall's WAN IP address not being in that subnet!).
Example: you have several servers connected to an optional interface
(let's assume OPT1).
Turn on advanced outbound NAT and define a rule for your LAN, but not
for OPT1. This will effectively disable NAT between WAN and OPT1. Now
you can add filter rules to selectively permit traffic to/from OPT1.
So, in the scenario I presented, the OPT1 interface would actually be a
VLAN (say VLAN 1). Again, this is why I'm assuming it should work.
> You'll need a somewhat pricey trunking switch to distribute the
Yeah, they're on the pricey side all right, but it's not me who would be
purchasing it. :) Besides, the business centre would be able to offer
improved services to its clients, so it wouldn't be a hard sell.
> On the interface you don't want NAT on, you've got a challenge - the
> only option I can think of is bridging, which a) I'm not sure is
> supported per-VLAN and b) just bothers the heck out of me.
I don't think I would have to bridge, at least not according to the
docs. However, I already tried bridging and only one bridge can be
setup with the WAN interface (makes sense...still sucks though).
> What you've described is essentially what my compamny does. If you
> would like to reply private I can give you more details [not a sales
> pitch] for a way to do it fairly cheap w/o the trunking switch.
Thanks for the offer. I'll be in touch.
I have another design in mind:
Hub/Cheap switch ---------Firewall
| | (Public IP)
Firewall Firewall \
(Public IP) (Public IP) Business
/| | | \ |
Businesses Business Centre
If that makes it to the list properly, the business centre will be able
to partition the network so that some of the businesses share a public
IP (as they do now), others can have their own public IP (with
everything after the connection to their hub/switch being up to the
individual business), and finaly a third public IP for the business
Only issue is that more hardware is required, although overall it is a
cheaper solution. Also, the business centre wants to upgrade their PBX
to Asterisk, and it will have to sit on the LAN that all of the
businesses are attached to. Businesses connected at the hub/switch will
have to be interconnected to the "Asterisk" LAN in order to use it
(shared receptionist amongst all of the individual businesses). The
interconnection is necessary because unfortunately, each office only has
one Cat5 connection. As you can see, it ends up being a little ugly.
The VLAN solution is much more elegant.
Anyone else have any experience/input on this?
Kanwar Ranbir Sandhu
Systems Aligned Inc.
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch