[ previous ] [ next ] [ threads ]
 From:  "Marc A. Runkel" <mrunkel at skyriver dot net>
 To:  "David Burgess" <apt dot get at gmail dot com>, <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] multiple subnets on single LAN interface?
 Date:  Wed, 7 Mar 2007 08:14:58 -0800
Hey David,

If I understand this right, all your clients and your servers/equipment are connected in the same
broadcast domain, but are separated by logical IP addressing?  Ie, the devices are plugged into the
same switch, but have different IP ranges?

First, it must be a very interesting story about why this came about, but we'll leave that for a
different day.

Second, one solution is to bring the DHCP lease renewal time as short as possible, wait 1/2 of the
time of whatever your current renewal period is (if it's one week, way 3.5 days), and then change
your DHCP server settings overnight.  DHCP clients attempt to renew at 1/2 their reservation time,
so this method causes all the clients to first get short renewal times and then to get new IP
addresses.  You can also force this by simply having your users reboot their PCs in the morning when
they arrive, I'm 99% certain the DHCP spec requires renewal upon startup.  Surely they're savvy
enough to do that?

If you really want to maintain your existing IP numbering scheme, you need to add a secondary IP to
the monowall interface. NO way to do this through the GUI though.  You'd have to do it with the
/exec.php page.

Or, if you have an extra interface in your monowall, plug it into the same switch and give it the
server's IP range.  Just turn on advanced NAT.  Lacking an extra interface, you can also setup VLANs
(if your switches support that feature) and route between the virtual interfaces.   

The monowall (any router) needs to "know" about the equipment's IP network and it needs to know how
to get there.  Note that in any setup where the router gets involved, you are creating a bottleneck
at the router, both in it's CPU's ability to switch the packets and on the total bandwidth of the
router interface.

Lastly, 300+ devices is a lot for any Ethernet subnet.  You might want to plug ethereal into your
network and take a look at your broadcast traffic.  You might want to add the extra interface(s) to
the monowall and split the servers and clients into smaller functional networks with routing in
between.  You need to do some traffic analysis before you implement that.

-----Original Message-----
From: David Burgess [mailto:apt dot get at gmail dot com] 
Sent: Tuesday, March 06, 2007 3:24 PM
To: m0n0wall at lists dot m0n0 dot ch
Subject: Re: [m0n0wall] multiple subnets on single LAN interface?

On 3/6/07, krt <kkrrtt at gmail dot com> wrote:
> Short Answer: No
> Long Answer:
> You have to route your packets if you do not participate in those
> subnets with a local interface.

By "route your packets" are you referring to routing table
modifications on my client machine? Or routing table modifications to
the m0n0wall? Because the latter is kind of where I was trying to go,
and without success.

> Why not run the DHCP server with a range of IP addresses from the
> that you've reserved as the "DHCP RANGE" and that you will
> not and do not have current static assignments in?

This is an option, but it means lots and lots of people not having
internet access until they renew their dhcp lease, which in many cases
would mean a week up to a month without internet. And no, most of
these people aren't savvy enough to try that on their own, and no, I
won't be fielding all the angry phone calls. So basically it's not a
very practical option for us.

So is there a really long answer that wasn't included in the first
response? I'm not averse to reading up if there's a way to do this.
I'm just not finding anything really relevant in my searches so far.

For what it's worth, here's an interesting excerpt from m0n0wall's
System:Advanced page:

"Bypass firewall rules for traffic on the same interface
This option only applies if you have defined one or more static
routes. If it is enabled, traffic that enters and leaves through the
same interface will not be checked by the firewall..."

Am I wrong in inferring that if traffic enters an interface,
potentially passes through the firewall, then leaves the same
interface, then said traffic must have differing source and
destination subnets, which is basically what I'm trying to implement.
Am I misinterpreting the function of a static route here?


> David Burgess wrote:
> > I'm not sure if I'm going down a blind alley here, but it seems to me
> > there must be a way to access a subnet other than one's own without
> > crossing the firewall. Here's my m0n0wall's basic setup:
> >
> > WAN: static public IP address
> > LAN:, running dhcpd
> >
> > Our clients all get IPs from the LAN dhcpd.
> > Meanwhile, our equipment all have static IP addresses on the subnet
> > Currently, to connect with a piece of equipment one
> > must change one's IP address manually to the 172.16/16 subnet. Is
> > there not a way using static routes to maintain one's 10/16 address
> > and have the m0n0wall redirect 172.16/16 requests to the appropriate
> > equipment on the LAN? I tried adding a static route thus:
> >
> > 172.16            UGS         0      126    [LAN]
> >
> > but no dice. I tried a similar entry, using as the gateway,
> > but nothing still. Is this possible? Can somebody point me to a
> > resource if it's not a simple fix? Please don't tell me to change my
> > equipment to the 10/16 subnet, as we're talking about ~300 items here.
> > I'll consider that a last resort, along with manually changing my IP
> > to the 172.16/16 every time I want to have a look.
> >
> > Thanks,
> > db
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> > For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> >
> >

To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch