I need some assistance with getting secondary addressing and firewall rules
playing nice together.
I found in some previous mailing list messages the config lines for adding
secondary addresses to an interface. These are the lines out of the config
I'm working with.
<shellcmd>ifconfig vlan0 alias 172.16.100.1/24</shellcmd>
<shellcmd>ifconfig vlan1 alias 172.16.101.1/24</shellcmd>
<shellcmd>ifconfig vlan2 alias 172.16.102.1/24</shellcmd>
<shellcmd>ifconfig vlan3 alias 172.16.103.1/24</shellcmd>
<shellcmd>ifconfig vlan4 alias 172.16.104.1/24</shellcmd>
<shellcmd>ifconfig vlan5 alias 172.16.105.1/24</shellcmd>
<shellcmd>ifconfig vlan6 alias 172.16.106.1/24</shellcmd>
<shellcmd>ifconfig vlan7 alias 172.16.107.1/24</shellcmd>
<shellcmd>ifconfig vlan8 alias 172.16.108.1/24</shellcmd>
<shellcmd>ifconfig vlan9 alias 172.16.109.1/24</shellcmd>
<shellcmd>ifconfig vlan10 alias 172.16.110.1/24</shellcmd>
The site in question uses m0n0wall at their core simply as a router. We
defined all their subnets (real IPs) to VLAN interfaces and created Any/Any
rules for all interfaces.
The site wanted to have secondary addressing available at each site for
equipment such as printers, WAPs, network electronics, etc.. that did not
need real/valid IPs. I've used secondary addressing in this way at many
locations with Cisco and Allied Telesyn gear without an issue.
I used the config statements above to create the secondary addressing and I
could in fact ping every one of those .1 addresses. So I "assumed"
everything worked fine. Come to find out this is not the case. Even though
there are firewall rules for Any/Any on every single interface the firewall
blocks traffic coming from the secondary ranges.
A client from any VLAN can ping a host (example: 172.16.100.10 on VLAN0)
just fine and get 100% responses. That very client (172.16.100.10) cannot
ping its gateway, nor any other host outside it's own subnet. The firewall
log shows every packet coming from .10 as denied.
What gives? Is there a way to just turn the firewall component off
entirely, rather than simply Any/Any rules everywhere? Why would m0n0wall
block traffic coming from the alias subnets?