[ previous ] [ next ] [ threads ]
 From:  Chris Buechler <cbuechler at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Beta 1.3b17 released
 Date:  Sun, 16 Aug 2009 03:22:20 -0400
On Sun, Aug 16, 2009 at 3:11 AM, Mohammed Ismail<m dot ismael at gmail dot com> wrote:
> But I did try it under FreeBSD 6.4
> With ISC DHCP Server 3.0
> And I got subnet with gateway
> And it was working with no problem.
> I know from the beginning that you cannot put different subnet than the
> gateway's mask, but it seems, windows does not allow this, but it could be
> assigned remotely via DHCP ,
> Althout you can assign static route via DHCP ..

Windows doesn't care about it, if it can ARP the IP, it'll use it as
its gateway. Other OSes will not do this, your network will not be
usable with FreeBSD for sure (it refuses to add a clearly invalid
default gateway), and likely others as well. It's ugly, don't do it.
It's not solving anything you think it might be solving. Your biggest
issue with internal untrusted clients is going to be ARP poisoning
(whether done in an automated fashion by malware on user's PCs or by
an attacker), which this isn't going to do anything to address, and is
one example of many of why you need a real solution here. Because the
problem is inside your network, m0n0wall isn't part of the solution as
it can't control these things (aside from the likely infeasible option
of splitting each user onto their own VLAN trunked to m0n0wall).