[ previous ] [ next ] [ threads ]
 From:  Fig <figmail at comcast dot net>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] New User
 Date:  Wed, 05 Oct 2005 16:32:49 -0500
OK, so the 233 won't be enough. I was afraid of that. :-(

I was thinking that instead of putting all the guests on a 24 port 
switch, I would put them on 3 8port switches and have each switch on 
it's own NIC on the m0n0wall box. They could infect the other 8 on their 
switch, but not the 16 on the other 2 switches. Something is better than 
nothing... :)

I assume that will take more cpu/ram though. Maybe I should not worry 
about segmenting the untrusted LAN?


Carsten Holbach wrote:

> Heya
> Nice wishes you have ;)
> The problem is: How can you block traffic from one guest to another 
> that is unwished. Especially malware, verii and trojan horses spread 
> themselves with broadcasts. For the case that you do not connect each 
> guest's computer to it's own NIC in your m0n0wall, but all of them 
> into a switch (which is common in LANs and lanparty environments), you 
> can't block that. If you want to you need a managable switch of the 
> higher class, where you can close ports in that switch.
> If I understand you right, you just want to block the untrusted LAN 
> from the trusted. That's no problem with m0n0wall, and your pings 
> should be nice (if somebody complaints about a higher latency of 5ms 
> than usual kick him ^^) if the hardware of the m0n0 box is a bit more 
> decent.
> The situation I described above applies for the untrusted LAN(s), then.
> Greetings
> Carsten
> Fig wrote:
>> Hello,
>> I finally have the time to finish my M0n0wall box for my LAN. 
>> Currently I am running on a Linksys router. It does ok, but there are 
>> not enough forwarding lines to handle my needs.
>> I have a small  base 100 LAN in my basement, and throw regular LAN 
>> parties of up to 30 people. I have 8 gaming machines that are mine, 
>> and a Samba server, an Linux web/FTP/Teamspeak server, a Linux 
>> gameserver, and a Win32 gameserver. All the servers except the Samba 
>> server will be accessible from outside, and the Samba server has NFS 
>> installed so the Linux App server can use it as a local drive. 6 of 
>> the gaming machines run Win98SE and have no AV software, and I want 
>> to block their access to the net. My outside connection is via cable 
>> modem.
>> A big concern is the computers my guests bring in. I don't have 
>> anything to prevent infection across my LAN, so I would like to set 
>> M0n0 up to have my "trusted" machines (gamers and servers) on one 
>> leg, the brought-in machines on another, and allow them to 
>> communicate across the on selected ports as needed for the games we 
>> will play. I would also like to allow access for people to access the 
>> fileserver for patches and mods to the games. If possible, I have 
>> room for a few additional Realtek NICs and 8-port switches and would 
>> like to further segment the "untrusted" portion of my LAN to help 
>> protect my friends from each other in case someone goofs. So I might 
>> have WAN, LAN, and 3 OPT (untrusted), for example.
>> Will I be able to achieve this with m0n0wall and still keep my 
>> latencies down to acceptable levels? I have a few systems I can use, 
>> I prefer to use a P233 box with 128MB of RAM but I can go up to a 
>> Duron 1300 with 256MB if it is needed.
>> Thoughts?
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch