[ previous ] [ next ] [ threads ]
 
 From:  "Patterson, Derek" <dpatterson at gsi dash kc dot com>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Failed m0n0wall implementation, need help...
 Date:  Wed, 19 Oct 2005 12:09:16 -0500
Hello everyone, I have a couple of questions about a failed m0n0wall
implementation.  First off some background, I work for a large web
hosting/collocation company and as such our network is rather complex.
I have been tasked with the migration of one of our corporate shorewall
firewalls to m0n0wall.  This firewall acts as the separation point
between the internet and our corporate network and our corporate network
and our datacenter network (the datacenter network goes out through a
completely different set of firewalls and routers to the internet).  I
have done a couple shorewall to m0n0wall migrations in the past however
they were based on one interface for LAN and another for WAN.  The
difference comes in that I need to deal with about 8 different VLANS all
coming in on the same interface, with the WAN on another separate
interface.  I am able to setup the VLAN's and able to get traffic on
those VLAN's to talk to the internet and in a limited manner talk
between VLAN's.  That's the first problem, even with allowing all
traffic out of a VLAN and into another VLAN with a permit all I get some
traffic that is blocked even without a rule to block it.  I am simply
using the permit all for testing, as part of our compliance requirements
the cross talk between VLANS will be closed down to only required
access.

The bigger problem is that it seems like I can only tell one interface
about the default routes into our datacenter.  There doesn't seem to be
a global routing option where I can tell all VLANs, interfaces, etc on
the internal side about the route into the datacenter.  Once I create
the route on one interface it will not allow it on another interface,
even though the other interfaces cannot seem to use that "known" route.

And finally the third issue is one that I realize is unsupported, but
maybe someone has had some success in a work around.  As bad a practice
as it is, some of our devices have to be able to access a public IP on
the LAN/VLAN side of things.  Unfortunately it isn't an option at this
point to remove that capacity.

The m0n0wall for this is running on a P4 3.2Ghz with 512Meg ram off a
128Mb CF card, with two gigabit network interfaces on board.  

As a side question, I have been trying to find a spec sheet that tells
me how many VLAN's m0n0wall can support as well as what the network
throughput would be for a machine of the class shown above.  We are also
interested in any HA(high availability) news beyond that it's a wishlist
item.  Possibly even be willing to put up a prize of some kind for the
team that can produce a stable HA m0n0wall build. 

I can provide more details on the specifics, but as this point I am just
trying to find the right path to take towards resolving these issues.

Thanks for any assistance.

Derek Patterson
Greensoft Solutions, Inc.
http://www.gsihosting.com