Just an idea, parhaps it's a stupid one :)
If you are using private addresses, why don't you just take a big network like
10.x.x.x <----- let's call this "private network"
assign the subnets of the VLANs like
VLAN1: 10.1.1.x <----- let's call this "VLAN1 network"
VLAN2: 10.1.2.x <----- let's call this "VLAN2 network"
VLAN3: 10.1.3.x <----- let's call this "VLAN3 network"
and so on. Now, at every VLAN interface you specify the following rules:
- rule1: block src VLANx network, protocol any, dst "private network"
- rule2: allow src VLANx network, protocol any, dst any
Every packet coming from the VLAN interfaces can go out to internet,
but cannot have a "private" destination.
You can do this if you use public addresses too, just subnet the
addresses in a good way.
Just my 2 cents,
2007/4/5, freaky at bananateam dot nl <freaky at bananateam dot nl>:
> Hey there,
> I've got an issue which should be easily solvable (I think) if m0n0wall
> would like to go in that direction.