[ previous ] [ next ] [ threads ]
 
 From:  Lonnie Abelbeck <lists at lonnie dot abelbeck dot com>
 To:  m0n0wall List <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] Bypass firewall rules for traffic on the same interface
 Date:  Wed, 14 Mar 2007 21:40:51 -0500 
Thanks to Chris B's encouragement, I have reworked my network to not  
rely on the "Bypass firewall rules..." crutch.

Short answer, I moved my OpenVPN server to a new interface where it  
is the only host on that interface.  Since there are no other hosts  
(other than the gateway) to access, there is no subnet-1 (OpenVPN  
virtual subnet) to subnet-2 (interface subnet) access.  All routes  
include a pass through two DIFFERENT interfaces on the m0n0wall.

I used an HP Procurve 1800-8G switch with my net4801, to create a  
VLAN trunk on the sis2 ethernet port.  This is my first experience  
with vlans... now I have four vlans isolating my asterisk/SIP phones,  
wifi wireless, openvpn server, and switch management.  Defining the  
vlans on the Procurve was very straightforward with its web interface.

m0n0wall continues to impress me... truly a rock solid tool.

Lonnie

On Mar 11, 2007, at 2:30 PM, Lonnie Abelbeck wrote:

> Chris,
>
> So, are you saying that if I *have* to put multiple subnets on the  
> LAN segment, I should expect the firewall rules anomalies I have  
> encountered and simply check "Bypass firewall rules..." to short- 
> circuit those anomalies?
>
> In my OpenVPN server application, I am not aware of any other way  
> to configure things other than creating multiple subnets on a  
> segment, ie. the OpenVPN server acting as a gateway to the virtual  
> subnet.
>
> I appreciate the guidance.
>
> Lonnie
>
> On Mar 11, 2007, at 11:00 AM, Chris Buechler wrote:
>
>> On 3/10/07, Lonnie Abelbeck <lists at lonnie dot abelbeck dot com> wrote:
>>>
>>> I am quite satisfied keeping "Bypass firewall rules..." checked, but
>>> I want to understand why m0n0wall is dropping LAN subnet1 to LAN
>>> subnet2 traffic in the firewall.
>>>
>>
>> Because you're doing this:
>>
>>> The question centers around having multiple subnets on a single
>>> interface.
>>
>> And have been told you shouldn't do this and there can be undesirable
>> consequences or other problems. Case in point - this, and potentially
>> other things as well.
>>
>> -Chris
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>
>>
>