[ previous ] [ next ] [ threads ]
 
 From:  krt <kkrrtt at gmail dot com>
 To:  "Christopher M. Iarocci" <iarocci at eastendsc dot com>
 Cc:  XXX xxx xxx XXX xxx <secure dot boy at hotmail dot com>, m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Can i use this kind of hardware
 Date:  Sat, 28 Apr 2007 09:35:40 -0700
A m0n0wall with a single NIC can function as a routing/NATing device, yes.

A couple of reasons why a single NIC setup are important would be 
equipment limitations or to play around with it.  There are probably 
other reasons as well, there are over six billion folks on this planet...

Basically, switch ports can be expensive, especially if you don't happen 
to live in the world of disposable digital cameras and "low priced" 
$20,000 automobiles.  Sometimes PC's don't have expansion capabilities, 
especially the form-factor desirable little units, which otherwise make 
great m0n0walls.

I'd rather use trunking than a USB NIC.  I'd rather use multiple network 
interfaces on a single card than any other solution to the problem, if 
possible.



802.1Q itself is generally a security problem if your segments are 
unprotected.  The question comes into play with the switch that 802.1Q 
is used on - a lot of switches fall back to stupid hub mode when they 
get very confused...  and then there's the old packet-hijacking 
argument, where you could encapsulate the correct VLAN tags on your 
packets and hope that you've got some very packet-forwarding happy 
devices that aren't terribly keen on reassembling headers...



If you're worried about 802.1Q, then you probably need to go about 
divvying up a lot of your Layer-2 infrastructure.  A separate switch or 
no switch at all for the Internet side (direct cable), separate switches 
for the LAN sides, etc.

Basically, 802.1Q does not defeat having a firewall in and of itself, 
but I agree - this is not usually a practical solution.  That being 
said, it's probably better than new versions.

The single NIC setup has been supported for a while to my knowledge.  It 
certainly works on 1.2x at this time.

There are other firewall products on the market that whine about single 
NICs and will refuse to go to the next step - one of them rhymes with 
Peck Choint.




Christopher M. Iarocci wrote:
> So you're saying you can have a m0n0wall with only a single NIC that can 
> route traffic for you?  1 single NIC can be WAN and LAN and OPT1, etc?  
> Why?  If you can do this with m0n0wall, you should not be able to 
> because 802.11Q is not secure enough to separate the traffic.  It 
> defeats having a firewall.
> 
> I seem to remember in the past people not being able to connect to the 
> LAN interface of the m0n0 because they didn't have 2 physical NICs in 
> the machine.  Maybe that has changed in newer versions?
> 
> Chris
> 
> krt wrote:
>> m0n0wall most certainly supports trunking with a single physical NIC. 
>> You can setup VLAN tagged interfaces during the initial interface 
>> assignment dialog.
>>
>>
>>
>>
>> Christopher M. Iarocci wrote:
>>> No you can not do this.  m0n0wall will not allow a single NIC.
>>>
>>> Chris
>>>
>>> XXX xxx xxx XXX xxx wrote:
>>>> I have one old PC with 233MHz (512KB L2) 64MB RAM and only one open 
>>>> PCI slot
>>>> i have a card intel Pro 100 nic can i use this card with Linksys 
>>>> SRW208 (managed switch)
>>>> and in m0n0 i want to have 1WAN,1LAN,1opt etc
>>>> Can i do this tagging???
>>>>
>>>> dejan
>>>>
>>>> _________________________________________________________________
>>>> Express yourself instantly with MSN Messenger! Download today it's 
>>>> FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>>>> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>>>
>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>>> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>>
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>
> 
> 
>