[ previous ] [ next ] [ threads ]
 
 From:  mtnbkr <waa dash m0n0wall at revpol dot com>
 To:  m0n0wall <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] multiple subnets on single LAN interface?
 Date:  Wed, 07 Mar 2007 11:52:51 -0500
David Burgess wrote:
> On 3/6/07, krt <kkrrtt at gmail dot com> wrote:
>> Short Answer: No
>>
>> Long Answer:
>> You have to route your packets if you do not participate in those
>> subnets with a local interface.
> 
> By "route your packets" are you referring to routing table
> modifications on my client machine? Or routing table modifications to
> the m0n0wall? Because the latter is kind of where I was trying to go,
> and without success.
> 
>> Why not run the DHCP server with a range of IP addresses from the
>> 172.16.0.0/16 that you've reserved as the "DHCP RANGE" and that you will
>> not and do not have current static assignments in?
> 
> This is an option, but it means lots and lots of people not having
> internet access until they renew their dhcp lease, which in many cases
> would mean a week up to a month without internet. And no, most of
> these people aren't savvy enough to try that on their own, and no, I
> won't be fielding all the angry phone calls. So basically it's not a
> very practical option for us.


A reboot will immediately fix that, since the computer will come up,
request it's old lease, be NAK'ed by the DHCP server, request a new
lease and be offered one on the 172.16.0.0/16 subnet.


> Am I misinterpreting the function of a static route here?

Yes.  A static route tells the computer (or piece of hardware equipment)
where to send packets that are NOT on its own subnet (Think gateway,
think router).

This will NOT work in your current case because you do not have a
gateway on the 172.16.0.0/16 network, and your m0n0wall does not know
where to send traffic destined for 172.16.0.0/16 to.

A quick (but WRONG) solution would be to add 172.16.0.0/16 IP aliases to
your client machines. DO NOT DO THIS. I am in the middle of a project
cleaning up a client's site that grew in the manner yours appears to be
moving. Fixing this at a later time is a PITA. Trust me. :)

Another quick but bad [IMHO] option is to have all of your 300+ clients
on the same network as your servers and you m0n0wall.

> So is there a really long answer that wasn't included in the first
> response? I'm not averse to reading up if there's a way to do this.
> I'm just not finding anything really relevant in my searches so far.

Yes. There is a long answer.


** WARNING... LONG ANSWER(S) FOLLOW **

The way you are doing it now (having two or more subnets on the same
wire) is not good networking practice and must [IMHO] be immediately
changed to a more appropriate network configuration.

You have several good options, and a couple wrong options. Two wrong
options were listed above, and two good options are described below.



see: http://www.revpol.com/images/m0n0-vlans.png while reading below. I
Just threw it together so it is not the best you will ever see. :)


OPTION 1: Using Layer 3 Switch (preferred)

PROS:

- Wire speed switching between client workstations<->servers<->Firewall
- Pretty simple to configure and manage
- Scalable

CONS:

- More expensive since Layer 3 switches are not cheap
- Generally provides for no firewalling between (infected) clients and
  your servers - but many L3 switches have some filtering capabilities
  that might be of use. It is just that m0n0wall will not be providing
  any firewalling.


STEPS: (generally speaking)
---------------------------
- Sit down and logically divide up your network to represent locations,
  or functions - whichever works best for your situation. (eg: 1st
  floor, 2nd floor etc or accounting, management, etc)

- Configure a DHCP server to serve all of your new networks.

	- Each new segment will have it's own IP network.
	(eg: servers = 192.168.0.0/24, accounting=192.168.10.0/24,
	management=192.168.11.0/24 etc)
	- Each network will have its own broadcast address and gateway
	(eg: server bcast = 192.168.0.255, gw = 192.168.0.254)

These are just examples... Use whatever private networks you like or
feel comfortable with. :)

- Purchase a Layer3 switch. Cha-ching

- Configure the switch's VLANS to represent each of your logical
  networks and enable the switches IP "routing" capability.

- Configure the switch's default gateway to the IP address of your
  m0n0wall's LAN interface.

- Enable DHCP forwarding on the switch and point it at the DHCP server.

- Modify m0n0wall's rules to include rules for the new subnets. You will
  no longer be using the "LAN Network" dropdown selection.  You
  COULD create an alias called "Internal Nets = 192.168.0.0/16" and use
  that for globally allowing/disallowing traffic, or you could create
  aliases for each new subnet to allow for more granularity with what is
  allowed and disallowed

- Configure servers' static IP addresses to new server subnet, and
  point gateway to the proper gateway for that subnet 192.168.0.254 in
  this example.

- Boot your clients on their new networks, test.



OPTION 2: Using Layer 2 switch plus m0n0wall's VLAN capability
--------------------------------------------------------------

PROS:

- Inexpensive
- Quick and pretty easy to implement
- Ability to firewall between clients<->servers<->Internet

CONS:
- Slow? Might be too slow since all traffic passes to/from m0n0wall
- Not very scalable

STEPS: (generally speaking)

- Sit down and logically divide up your network to represent locations,
  or functions - whichever works best for your situation. (eg: 1st
  floor, 2nd floor etc or accounting, management, etc)

- Purchase a Layer2 switch that provides 802.1q VLAN tagging. Most
  managed switches do.

- Configure the switch's VLANS to represent each of your logical
  networks.

- Configure the ports linking your client networks to be untagged
  members of the VLAN they represent.

- Configure the port where m0n0wall's LAN interface connects to as a
  tagged trunk carrying all of the VLANS you previously defined

- Create the VLANS on the m0n0wall and assign them to it's LAN
  interface.

- Configure m0n0wall's DHCP server to serve all of your new networks.
	- Each new segment will have it's own IP network.
	(eg: servers = 192.168.0.0/24, accounting=192.168.10.0/24,
	management=192.168.11.0/24 etc)
	- Each network will have its own broadcast address and gateway
	(eg: server bcast = 192.168.0.255, gw = 192.168.0.254)

These are just examples... Use whatever private networks you like or
feel comfortable with. :)

- Modify m0n0wall's rules to include rules for the new subnets. You will
  no longer be using the "LAN Network" dropdown selection.  You
  COULD create an alias called "Internal Nets = 192.168.0.0/16" and use
  that for globally allowing/disallowing traffic, or you could create
  aliases for each new subnet to allow for more granularity with what is
  allowed and disallowed

- Configure servers' static IP addresses to new server subnet, and
  point gateway to the proper gateway for that subnet 192.168.0.254 in
  this example.

- Boot your clients on their new networks, test.


Having said ALL of that, I am almost 100% positive I remember seeing a
Wiki entry on VLANS and m0n0wall but can not seem to find it... If you
do locate it, it will help you with the actual "step-by-steps" of
configuring option #2.

Either way, you have some work ahead, and possibly some networking
hardware to purchase/configure.

--
Bill Arlofski
Reverse Polarity