[ previous ] [ next ] [ threads ]
 From:  "Brandon Kahler" <bkahler at techline dot com>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Help with secondary addressing
 Date:  Sat, 11 Feb 2006 17:34:29 -0800
I need some assistance with getting secondary addressing and firewall rules
playing nice together.

I found in some previous mailing list messages the config lines for adding
secondary addresses to an interface.  These are the lines out of the config
I'm working with.

		<shellcmd>ifconfig vlan0 alias</shellcmd>
		<shellcmd>ifconfig vlan1 alias</shellcmd>
		<shellcmd>ifconfig vlan2 alias</shellcmd>
		<shellcmd>ifconfig vlan3 alias</shellcmd>
		<shellcmd>ifconfig vlan4 alias</shellcmd>
		<shellcmd>ifconfig vlan5 alias</shellcmd>
		<shellcmd>ifconfig vlan6 alias</shellcmd>
		<shellcmd>ifconfig vlan7 alias</shellcmd>
		<shellcmd>ifconfig vlan8 alias</shellcmd>
		<shellcmd>ifconfig vlan9 alias</shellcmd>
		<shellcmd>ifconfig vlan10 alias</shellcmd>

The site in question uses m0n0wall at their core simply as a router.  We
defined all their subnets (real IPs) to VLAN interfaces and created Any/Any
rules for all interfaces.
The site wanted to have secondary addressing available at each site for
equipment such as printers, WAPs, network electronics, etc.. that did not
need real/valid IPs.  I've used secondary addressing in this way at many
locations with Cisco and Allied Telesyn gear without an issue.

I used the config statements above to create the secondary addressing and I
could in fact ping every one of those .1 addresses.  So I "assumed"
everything worked fine.  Come to find out this is not the case.  Even though
there are firewall rules for Any/Any on every single interface the firewall
blocks traffic coming from the secondary ranges.

A client from any VLAN can ping a host (example: on VLAN0)
just fine and get 100% responses.  That very client ( cannot
ping its gateway, nor any other host outside it's own subnet.  The firewall
log shows every packet coming from .10 as denied.

What gives?  Is there a way to just turn the firewall component off
entirely, rather than simply Any/Any rules everywhere?  Why would m0n0wall
block traffic coming from the alias subnets?

Brandon Kahler