[ previous ] [ next ] [ threads ]
 From:  freaky at bananateam dot nl
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  VLAN's and separating traffic
 Date:  Thu, 05 Apr 2007 15:47:57 +0200 (CEST)
Hey there,

I've got an issue which should be easily solvable (I think) if m0n0wall
would like to go in that direction.

First I'll kind of give an explanation what we like/need in order for your

The company I work for does hosting (applications/terminals) for the SMB.
This means we have servers running for customers in their own VLAN's. We
also have a SSL-VPN appliance which doesn't have support for VLAN's. In
the future the SSL-VPN appliance will be replaced by it's expensive big
brother which does.

So we would like m0n0wall to do the routing this would mean:

* Allow the VLAN's to access the internet
* Route the VPN to the VLAN based on source (customer x should be able to
route to customer y's vlan)
* VLAN's should not be allowed to communicate between each other, unless
specifically allowed.

As we are starting up and have quite some prospects, the number of VLAN's
will be growing quite rapidly (or so we hope). And this is were the
problem lies.

I think I can narrow the issue down to the fact there is no option to
specifiy the destination interface. Normally one would create a rule 'src
interface vlan x, src subnet vlan x, destination any, protocol any allow'
to give the vlan's internet access. This will however also allow them to
communicate between each other, which is exactly what we don't want.

Now you could a deny rule on every vlan for every other vlan, but this
will become an administrative nightmare very soon. Next to that, with
every new vlan this will become more and more unmanagable.

Now I'm only familiar with linux myself. In linux (iptables to be exact)
this would easily be solved by adding a '-o <dest interface>' to the
firewall rule. Doubt this would be any different in *BSD.

This raises quite a few questions:

* Are there people willing to implement it?
* Is it going to cause trouble with other parts of the m0n0wall scripts
* I don't mind looking into doing it (not really a programmer nor a *BSD
guy), would it be much work?
* Does it fit in the m0n0wall project targets, etc.
* Is the m0n0wall community interested in such a feature (atleast 1 guy I
spoke to on #m0n0wall/freenode is I guess, he's doing it with the deny
rules now but also found it quite hard to manage).

Would also like to point out that although I like m0n0wall as a product I
find it very strange it would allow traffic between vlan's this easily.
I'd like to think they weren't separated for nothing and like to keep it
that way :). Then again, it isn't really the area the product is targeted

Any comments/suggestions are very welcome.

In any case, thanks for the great product and keep up the good work.