On 1/30/06, person <blankinvites plus m0n0 at gmail dot com> wrote:
>
> Can inter-VLAN routing be done with m0n0wall?

Yes.  some (unfinished) documentation:  http://wiki.m0n0.ch/wikka.php?wakka=VLAN


> Is it best practice to do so?
>

If you don't need to pass a whole lot of traffic between the VLAN's,
it's fine.  Make sure you follow Cisco's recommended VLAN security
best practices when configuring the switch.


> What we want to do, is have anyone on the "external port" come up on their
> own locked down VLAN to the captive portal. Then we want to use RADIUS and
> machine certificates to authenticate the individual machines, not users. If
> they authenticate, put them onto the private network with all access. If
> they don't authenticate, just put them on a jailed VLAN that only has
> internet access and DNS access but no access to internal services or other
> machines.
>
> Is this feasible?
>

What you're talking about there is actually switching the VLAN the
user is on.  m0n0wall can't do that, that's a function of the switch. 
What you can do is leave all the "external port" users on that outside
VLAN, and let users who authenticate successfully out to the Internet.
 Unauthenticated users would be on the same network, but not able to
go outside of that network.

-Chris