On Sun, 11 Jan 2004, Jim McBeath wrote:
> On Mon, Jan 12, 2004 at 12:19:55AM -0600, fred at daytonawan dot com wrote:
> > You can't really use any firewalls I can think of with only one interface,
> > simply because there wouldn't be much security there. Although, you
Indeed, especially since many broadband setups run the modem as a bridge,
often with no more filtering than the minimum required by 802.1D.
> > can use the same switch or hub or whatever for both interfaces and rely
> > on layer 3 to separate your WAN and LAN networks. I know that, because
> > I'm doing it at present. If for some reason you can't connect a second
> > ethernet interface directly to your modem, you could leave it plugged in
> > to the hub and connect your second ethernet interface to the hub as well.
> > Either way, you really need a second ethernet interface on your m0n0 box.
Once you have a second NIC, you can connect that directly to the modem and
keep the modem off the LAN. If you need to have something else connect to
the modem, use a separate hub or switch.
> This would be an interesting application for an interface alias ability in
> m0n0wall. That should give you the same functionality as using two NICs
> connected to one hub.
No, the alias capability is just an "alias", not a full-fledged separate
logical interface. They don't associate with separate routing entries,
and hence the alias addresses are never used as (default) source addresses
in outbound connections. For most practical purposes, aliases are only
useful when in the same subnet as the primary address. This is fine for
their intended purposes, such as providing multiple WAN IPs (which can be
NATted to different internal servers), or using different LAN IPs for
different "roles" that can be assigned to the same box or to different
boxes without reconfiguring clients.