Multiple WAN IP's <--> NAT <--> Multiple LANs

From:	"JP Aubineau" <jp at netechnica dot com>
To:	m0n0wall at lists dot m0n0 dot ch
Subject:	Multiple WAN IP's <--> NAT <--> Multiple LANs - Help!!!
Date:	Fri, 31 Mar 2006 13:05:53 -0600 (CST)
Hi All,

I've been searching the lists and havent been able to find a concrete
answer as to solve a configuration problem I'm having with multiple WAN
IP's being NAT'ed to multiple internal VLAN'ed networks. The closest I've
been able to find is a HOWTO from Chris Beuchler that gets me essentially
1/3rd way through [on the LAN side]
(http://wiki.m0n0.ch/wikka.php?wakka=VLAN), but I am stuck on the m0n0
config. I'm fairly new to VLAN and Routing concepts in general so please
be easy on me ;-)


My hardware is for all purposes identical to what Chris Buechler detailed
in  his guide. I have a soekris net4801-50 box running m0n0 1.21 serving
as the router, a Cisco 2924XL L2 switch attached to the sis1 interface on
the soekris box, another 8 port unmanaged POE switch attached to the sis2
interface (for DMZ'd wireless AP's), and the sis0 interface attached to my
ISP's router. The cisco switch in my setup is configured nearly identical
to the guide's switch config with the exception that I have a few more
VLAN's assigned. All VLAN's are trunked through port 24 (which as stated
above is connected to sis1 on the Soekris box)

Onto the hard part (or at least what I cant figure out!):

I have a block of public IP's (/29 subnet) of which I would like to assign
individual IP's to specific VLAN's (assuming via NAT); These IP's would
essentially be the public gateways for each VLAN (there are several hosts
in each LAN network that I plan to port forward services to, so a 1:1 host
NAT wouldnt work AFAIK). Some of the VLAN's would share a public IP [is
this possible?], as I am limited to only a /29 block of IP's.

Public IP info:
inet: xxx.xxx.xxx.33 /29
usable range: xxx.xxx.xxx.34 - 38

On the Soekris I have the following setup:

WAN_0: sis0 (xxx.xxx.xxx.34)
DMZ: sis2 (192.168.9.254)
LAN_0: sis1 (192.168.8.254)
LAN_1: VLAN 10 on sis1 (192.168.10.254)
LAN_2: VLAN 15 on sis1 (192.168.15.254)
LAN_3: VLAN 20 on sis1 (192.168.20.254)
LAN_4: VLAN 25 on sis1 (192.168.25.254)
LAN_5: VLAN 30 on sis1 (192.168.30.254)
LAN_6: VLAN 35 on sis1 (192.168.35.254)

the DMZ network is for a wireless captive portal system. All the other
LAN's (1-6) are for separate networks; some of which need their own public
ip address, others can share:

LAN_0, DMZ = xxx.xxx.xxx.34
LAN_1: = xxx.xxx.xxx.35
LAN_2: = xxx.xxx.xxx.36
LAN_3,LAN_5,LAN_6 = xxx.xxx.xxx.37
LAN_4: = xxx.xxx.xxx.38


So, given the above information, would someone have an idea of how to set
this up? The main reason for this setup is that I want to replace an
existing cisco 2610 router [that essentially is doing the above
configuration], with the Soekris / m0n0wall solution, as it adds VPN,
captive portal, and traffic shaping functionality to the total solution.

Any help would be greatly appreciated,

Thank you,

- JP