[ previous ] [ next ] [ threads ]
 From:  Tenchi <tenchi at intergga dot ch>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] missing rule option... destination: WAN
 Date:  Fri, 18 Feb 2005 08:35:53 +0100
Hi Chris

I set up the VLANs as you recommended... my rules are:
- DNS: allow udp from vlan subnet to vlan subnet port 53
- WEB: allow tcp from vlan subnet to !

This works great with my XP clients, but with win98 I can only do 1 or 2 
dns lookups (different urls in internet explorer or ping domain) and 
afterwards it hangs (timeout). Then I can't even do a dhcp renew 
anymore. It's totally reproducible and not hardware dependent (dual 
boot). There are no firewall entries afterwards, the clients net is dead.

Info: I'm using the DNS forwarder.

What am I missing here?

Chris Buechler wrote:
> make the VLAN's contiguous subnets.  If you have only one machine on
> each VLAN, then each VLAN only needs two IP's, so you could use /30's.
> Like:
> VLAN1 - (usable IP's and
> VLAN2 - (usable .9 and .10)
> VLAN3 - (.13 and .14)
> And summarize the rule for all 20 VLAN's with  So on each
> VLAN you'd have a deny src * dst rule, and permit any
> following that.