[ previous ] [ next ] [ threads ]
 From:  Chris Buechler <cbuechler at gmail dot com>
 To:  Tenchi <tenchi at intergga dot ch>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] missing rule option... destination: WAN
 Date:  Mon, 7 Feb 2005 15:10:08 -0500
On Mon, 07 Feb 2005 20:54:40 +0100, Tenchi <tenchi at intergga dot ch> wrote:
> Hello
> I bought a 24port tag based vlan switch to be able to control every
> ports access to each other and to the internet. Say I set up 20 vlans
> (each with a different subnet) and I want to let them only connect to
> the internet...
> What I'd need is a "allow TCP/UDP from VLANx to WAN" rule. But since
> this doesn't seem to exist I'd have to add 19 rules to each vlan to
> block access to the others and one rule to allow all other TCP/UDP !?
> Why isn't there a WAN in the destination list?
> Or is there another solution?

make the VLAN's contiguous subnets.  If you have only one machine on
each VLAN, then each VLAN only needs two IP's, so you could use /30's.

VLAN1 - (usable IP's and
VLAN2 - (usable .9 and .10)
VLAN3 - (.13 and .14)
VLAN20 - (.81 and .82)

And summarize the rule for all 20 VLAN's with  So on each
VLAN you'd have a deny src * dst rule, and permit any
following that.