Re: [m0n0wall] missing rule option... destination: WAN

From:	Tenchi <tenchi at intergga dot ch>
Cc:	m0n0wall at lists dot m0n0 dot ch
Subject:	Re: [m0n0wall] missing rule option... destination: WAN
Date:	Fri, 18 Feb 2005 08:35:53 +0100

Hi Chris

I set up the VLANs as you recommended... my rules are:
- DNS: allow udp from vlan subnet to vlan subnet port 53
- WEB: allow tcp from vlan subnet to !10.0.0.0/24

This works great with my XP clients, but with win98 I can only do 1 or 2 
dns lookups (different urls in internet explorer or ping domain) and 
afterwards it hangs (timeout). Then I can't even do a dhcp renew 
anymore. It's totally reproducible and not hardware dependent (dual 
boot). There are no firewall entries afterwards, the clients net is dead.

Info: I'm using the DNS forwarder.

What am I missing here?
thanks

Chris Buechler wrote:
> make the VLAN's contiguous subnets.  If you have only one machine on
> each VLAN, then each VLAN only needs two IP's, so you could use /30's.
> 
> Like:
> VLAN1 - 10.0.0.4/30 (usable IP's 10.0.0.5 and 10.0.0.6)
> VLAN2 - 10.0.0.8/30 (usable .9 and .10)
> VLAN3 - 10.0.0.12/30 (.13 and .14)
> 
> And summarize the rule for all 20 VLAN's with 10.0.0.0/24.  So on each
> VLAN you'd have a deny src * dst 10.0.0.0/24 rule, and permit any
> following that.