On Mon, 07 Feb 2005 20:54:40 +0100, Tenchi <tenchi at intergga dot ch> wrote:
> I bought a 24port tag based vlan switch to be able to control every
> ports access to each other and to the internet. Say I set up 20 vlans
> (each with a different subnet) and I want to let them only connect to
> the internet...
> What I'd need is a "allow TCP/UDP from VLANx to WAN" rule. But since
> this doesn't seem to exist I'd have to add 19 rules to each vlan to
> block access to the others and one rule to allow all other TCP/UDP !?
> Why isn't there a WAN in the destination list?
> Or is there another solution?
make the VLAN's contiguous subnets. If you have only one machine on
each VLAN, then each VLAN only needs two IP's, so you could use /30's.
VLAN1 - 10.0.0.4/30 (usable IP's 10.0.0.5 and 10.0.0.6)
VLAN2 - 10.0.0.8/30 (usable .9 and .10)
VLAN3 - 10.0.0.12/30 (.13 and .14)
VLAN20 - 10.0.0.80/30 (.81 and .82)
And summarize the rule for all 20 VLAN's with 10.0.0.0/24. So on each
VLAN you'd have a deny src * dst 10.0.0.0/24 rule, and permit any