[ previous ] [ next ] [ threads ]
 
 From:  "Marco Simioni" <m dot simioni at gmail dot com>
 To:  "freaky at bananateam dot nl" <freaky at bananateam dot nl>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] VLAN's and separating traffic
 Date:  Fri, 6 Apr 2007 20:39:54 +0200
Just an idea, parhaps it's a stupid one :)

If you are using private addresses, why don't you just take a big network like
10.x.x.x <----- let's call this "private network"
assign the subnets of the VLANs like
VLAN1: 10.1.1.x <----- let's call this "VLAN1 network"
VLAN2: 10.1.2.x <----- let's call this "VLAN2 network"
VLAN3: 10.1.3.x <----- let's call this "VLAN3 network"

and so on. Now, at every VLAN interface you specify the following rules:
- rule1: block src VLANx network, protocol any, dst "private network"
- rule2: allow src VLANx network, protocol any, dst any

Every packet coming from the VLAN interfaces can go out to internet,
but cannot have a "private" destination.
You can do this if you use public addresses too, just subnet the
addresses in a good way.

Just my 2 cents,
Marco

2007/4/5, freaky at bananateam dot nl <freaky at bananateam dot nl>:
> Hey there,
>
> I've got an issue which should be easily solvable (I think) if m0n0wall
> would like to go in that direction.
>