|
||||||||
Well I gave a reasonable amount of time for someone else to jump in but I guess you're stuck with me ;) ----- Well there is another option if you have an entire range of contiguous addresse or a real subnet, and that is to mess with the mask and create multiple subnets off that (supernetting I think it's sometimes called) - that would eliminate the bridging problem. Not sure if m0n0 would like it though. >>Well, the docs say that m0n0wall can't actually be assigned mulitple WAN >>IPs, but it can be made to accept packets for additional IPs. Here's >>the info: >>http://m0n0.ch/wall/docbook/faq-ipalias.html <http://m0n0.ch/wall/docbook/faq-ipalias.html> right, and [one of] the method outlined is 1:1 NAT ;) >>You can use this if you have an entire subnet of public IP addressess >>(with m0n0wall's WAN IP address not being in that subnet!). <<--This is important I'm not sure why you think you can get away with not bridging unless the above is true (and if it is I want the name of your very nice ISP ;) But with an entire subnet supernetting to the VLAN's should work to allocate the IP address space. Using the automatic NAT (which is really PAT I guess) for the general subnet and true NAT (1:1) for the other. The bit in the manual about turning off NAT presumes that you are now going to route between *2* subnets OPT1<->WAN, or use bridging. But if it were me I would just think hard about why having the no-NAT subnet was important and probably split just that piece off because that is really what's complicating things. The rest of it should work through m0n0 just fine. So a hybrid of your 2 designs. Cheers, -Keith ________________________________ From: Kanwar Ranbir Sandhu [mailto:m3freak at rogers dot com] Sent: Mon 1/24/2005 12:07 PM To: m0n0wall at lists dot m0n0 dot ch Subject: [m0n0wall] Re: [Bulk] RE: [m0n0wall] Re: [Bulk] Re: [m0n0wall] Configurationfor VLANs an multiple WANIPs Hi Keith, On Mon, 2005-24-01 at 10:50 -0800, Keith Redfield wrote: > I don't believe you can actually assign multiple WAN IP's, but you can > do 1:1 NAT to multiple IP's on the WAN side (sorta critical > difference). Well, the docs say that m0n0wall can't actually be assigned multiple WAN IPs, but it can be made to accept packets for additional IPs. Here's the info: http://m0n0.ch/wall/docbook/faq-ipalias.html That's what I'm basing my assumptions on for the VLANs. > If these IP's are coming from differend ISP's (multiple DSL's), you've > got a martianed hub problem. You might want to consider migrating to > one of the hotbrick-like multiple WAN devices, and then not use any > NAT on m0n0. The public IPs will come from the same ISP, and will probably be an entire subnet. > You create the VLAN's off the LAN interface (or multiple LAN > interfaces) That's what I thought. Thanks. > m0n0wall by default automatically performs NAT on all the internal > interfaces > - you need to use the advanced NAT tab to modify this setting. Yes. Again, this is why I've been assuming that what I want to do should be possible. The page I linked above says, under Routing: -- start -- You can use this if you have an entire subnet of public IP addresses (with m0n0wall's WAN IP address not being in that subnet!). Example: you have several servers connected to an optional interface (let's assume OPT1). [SNIP] Turn on advanced outbound NAT and define a rule for your LAN, but not for OPT1. This will effectively disable NAT between WAN and OPT1. Now you can add filter rules to selectively permit traffic to/from OPT1. --end-- So, in the scenario I presented, the OPT1 interface would actually be a VLAN (say VLAN 1). Again, this is why I'm assuming it should work. > You'll need a somewhat pricey trunking switch to distribute the > VLANs. Yeah, they're on the pricey side all right, but it's not me who would be purchasing it. :) Besides, the business centre would be able to offer improved services to its clients, so it wouldn't be a hard sell. > On the interface you don't want NAT on, you've got a challenge - the > only option I can think of is bridging, which a) I'm not sure is > supported per-VLAN and b) just bothers the heck out of me. I don't think I would have to bridge, at least not according to the docs. However, I already tried bridging and only one bridge can be setup with the WAN interface (makes sense...still sucks though). > What you've described is essentially what my compamny does. If you > would like to reply private I can give you more details [not a sales > pitch] for a way to do it fairly cheap w/o the trunking switch. Thanks for the offer. I'll be in touch. I have another design in mind: Internet | Modem | Hub/Cheap switch ---------Firewall | | (Public IP) Firewall Firewall \ (Public IP) (Public IP) Business | | Switch Switch /| | | \ | Businesses Business Centre If that makes it to the list properly, the business centre will be able to partition the network so that some of the businesses share a public IP (as they do now), others can have their own public IP (with everything after the connection to their hub/switch being up to the individual business), and finaly a third public IP for the business centre itself. Only issue is that more hardware is required, although overall it is a cheaper solution. Also, the business centre wants to upgrade their PBX to Asterisk, and it will have to sit on the LAN that all of the businesses are attached to. Businesses connected at the hub/switch will have to be interconnected to the "Asterisk" LAN in order to use it (shared receptionist amongst all of the individual businesses). The interconnection is necessary because unfortunately, each office only has one Cat5 connection. As you can see, it ends up being a little ugly. The VLAN solution is much more elegant. Anyone else have any experience/input on this? Regards, Ranbir -- Kanwar Ranbir Sandhu Linux Consultant Systems Aligned Inc. www.systemsaligned.com --------------------------------------------------------------------- To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch |