[ previous ] [ next ] [ threads ]
 From:  Chris Buechler <cbuechler at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] CAP Portal / VLAN's how to - InterVLAN routing?
 Date:  Mon, 30 Jan 2006 21:50:06 -0500
On 1/30/06, person <blankinvites plus m0n0 at gmail dot com> wrote:
> Can inter-VLAN routing be done with m0n0wall?

Yes.  some (unfinished) documentation:  http://wiki.m0n0.ch/wikka.php?wakka=VLAN

> Is it best practice to do so?

If you don't need to pass a whole lot of traffic between the VLAN's,
it's fine.  Make sure you follow Cisco's recommended VLAN security
best practices when configuring the switch.

> What we want to do, is have anyone on the "external port" come up on their
> own locked down VLAN to the captive portal. Then we want to use RADIUS and
> machine certificates to authenticate the individual machines, not users. If
> they authenticate, put them onto the private network with all access. If
> they don't authenticate, just put them on a jailed VLAN that only has
> internet access and DNS access but no access to internal services or other
> machines.
> Is this feasible?

What you're talking about there is actually switching the VLAN the
user is on.  m0n0wall can't do that, that's a function of the switch. 
What you can do is leave all the "external port" users on that outside
VLAN, and let users who authenticate successfully out to the Internet.
 Unauthenticated users would be on the same network, but not able to
go outside of that network.