I set up the VLANs as you recommended... my rules are:
- DNS: allow udp from vlan subnet to vlan subnet port 53
- WEB: allow tcp from vlan subnet to !10.0.0.0/24
This works great with my XP clients, but with win98 I can only do 1 or 2
dns lookups (different urls in internet explorer or ping domain) and
afterwards it hangs (timeout). Then I can't even do a dhcp renew
anymore. It's totally reproducible and not hardware dependent (dual
boot). There are no firewall entries afterwards, the clients net is dead.
Info: I'm using the DNS forwarder.
What am I missing here?
Chris Buechler wrote:
> make the VLAN's contiguous subnets. If you have only one machine on
> each VLAN, then each VLAN only needs two IP's, so you could use /30's.
> VLAN1 - 10.0.0.4/30 (usable IP's 10.0.0.5 and 10.0.0.6)
> VLAN2 - 10.0.0.8/30 (usable .9 and .10)
> VLAN3 - 10.0.0.12/30 (.13 and .14)
> And summarize the rule for all 20 VLAN's with 10.0.0.0/24. So on each
> VLAN you'd have a deny src * dst 10.0.0.0/24 rule, and permit any
> following that.