[ previous ] [ next ] [ threads ]
 From:  Chris Buechler <cbuechler at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Failed m0n0wall implementation, need help...
 Date:  Wed, 19 Oct 2005 16:42:21 -0400
On 10/19/05, Patterson, Derek <dpatterson at gsi dash kc dot com> wrote:
> That's the first problem, even with allowing all
> traffic out of a VLAN and into another VLAN with a permit all I get some
> traffic that is blocked even without a rule to block it.

My first guess is the antispoofing rules, and a wrong subnet mask, or
missing static route, or something of that nature.  need more
specifics of exactly how this is all setup and what you're seeing
getting dropped.

> The bigger problem is that it seems like I can only tell one interface
> about the default routes into our datacenter.  There doesn't seem to be
> a global routing option where I can tell all VLANs, interfaces, etc on
> the internal side about the route into the datacenter.

Your default route is the default route for all networks (from
m0n0wall's perspective, and assuming it's the default gateway on all
these VLAN's).

> Once I create
> the route on one interface it will not allow it on another interface,
> even though the other interfaces cannot seem to use that "known" route.

That's not true, you probably have something messed up there.

> And finally the third issue is one that I realize is unsupported, but
> maybe someone has had some success in a work around.  As bad a practice
> as it is, some of our devices have to be able to access a public IP on
> the LAN/VLAN side of things.  Unfortunately it isn't an option at this
> point to remove that capacity.

Will need to route a whole subnet of public IP's over to one of the
VLAN's.  Otherwise you'll end up with a big mess.

> As a side question, I have been trying to find a spec sheet that tells
> me how many VLAN's m0n0wall can support

32 is maximum supported total number of interfaces (VLAN or physical).
 More than that will likely work fine, though when you get more than
that you might really slow down the webGUI and it isn't supported.

> as well as what the network
> throughput would be for a machine of the class shown above.

In a typical LAN/WAN setup, that should do 800-900+ Mb.  Throw VLAN's
into the mix, and I'm not sure.

> We are also
> interested in any HA(high availability) news beyond that it's a wishlist
> item.

1.3 looks like it's going to end up with CARP and pfsync, but that's
still yet to be determined.

> I can provide more details on the specifics, but as this point I am just
> trying to find the right path to take towards resolving these issues.

a network diagram and your config.xml would be helpful.  this is way
too complex to easily figure out any other way.