[ previous ] [ next ] [ threads ]
 
 From:  Chris Buechler <cbuechler at gmail dot com>
 To:  Tenchi <tenchi at intergga dot ch>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] missing rule option... destination: WAN
 Date:  Mon, 7 Feb 2005 15:10:08 -0500
On Mon, 07 Feb 2005 20:54:40 +0100, Tenchi <tenchi at intergga dot ch> wrote:
> Hello
> 
> I bought a 24port tag based vlan switch to be able to control every
> ports access to each other and to the internet. Say I set up 20 vlans
> (each with a different subnet) and I want to let them only connect to
> the internet...
> 
> What I'd need is a "allow TCP/UDP from VLANx to WAN" rule. But since
> this doesn't seem to exist I'd have to add 19 rules to each vlan to
> block access to the others and one rule to allow all other TCP/UDP !?
> 
> Why isn't there a WAN in the destination list?
> Or is there another solution?
> 

make the VLAN's contiguous subnets.  If you have only one machine on
each VLAN, then each VLAN only needs two IP's, so you could use /30's.

Like:
VLAN1 - 10.0.0.4/30 (usable IP's 10.0.0.5 and 10.0.0.6)
VLAN2 - 10.0.0.8/30 (usable .9 and .10)
VLAN3 - 10.0.0.12/30 (.13 and .14)
...
VLAN20 - 10.0.0.80/30 (.81 and .82)


And summarize the rule for all 20 VLAN's with 10.0.0.0/24.  So on each
VLAN you'd have a deny src * dst 10.0.0.0/24 rule, and permit any
following that.

-Chris