[ previous ] [ next ] [ threads ]
 
 From:  Guy Boisvert <guy dot boisvert at ingtegration dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Virtual LAN?
 Date:  Fri, 12 Nov 2010 15:11:17 -0500 
Le 2010-11-11 23:46, GD Incorporation a écrit :
> So,
>
> You can just use 2 Ethernet Card. One for WAN, and one for LAN and VLAN? And
> the switch must also support VLAN? Just to confirm. It seemed that I need to
> upgrade my current switch to the one that support VLAN.
>
> Thanks
> Rendra
>
> -----Original Message-----
> From: David Burgess [mailto:apt dot get at gmail dot com]
> Sent: Friday, November 12, 2010 10:33 AM
> To: m0n0wall at lists dot m0n0 dot ch
> Subject: Re: [m0n0wall] Virtual LAN?
>
> On Wed, Nov 10, 2010 at 8:22 PM, GD Incorporation
> <rbasuki at gdincorporation dot com>  wrote:
>> Hi Guys
>>
>> Can anyine explain to me how to use VLAN in monowall. Do I need a 3rd
>> LAN CARD?

First, please do not top post!


Ok, i can assist you with your need but first let's define it.  What do 
you want to achieve exactly?

We use VLANs to separate broadcast domains (a switch already separate 
collision domains).  You could see vlans as separate dumb switches (that 
doesn't support VLANs).  2 VLANs on 1 managed switch would be equivalent 
to 2 physical dumb switch.  VLANs are defined at layer 2 of the OSI model.

http://en.wikipedia.org/wiki/OSI_model

Once you have segmented your network with VLANs (or separate physical 
switches), you need to have a router to route packets between these 
VLANs and possibly internet (you control traffic with the monowall 
firewall via rules).  A router operate at layer 3 of the OSI model.

You can hook up a router to a switch and make it operate on many VLANs 
by using the 802.1Q protocol.  This protocol prepend a 802.1Q header tag 
to each fram that goes out of a port configured to use the 802.1Q 
protocol.  When received by another ethernet interface that operate in 
802.1Q mode, the 802.1Q header is checked and removed.  The receiver 
then knows to what VLANs the incoming frame belongs and switch it to the 
destination port.  In case of a broadcast, the receiving switch will 
forward the frame to every ports belonging to the target VLAN and to the 
other outgoing 802.1Q ports that were configured to pass the current VLAN.

http://en.wikipedia.org/wiki/802.1Q

So in your case, you would probably hook the "LAN" port of your monowall 
to a managed switch.  You need to define the VLANs on your switch.  So 
let's say i define VLANs ID 1, 2 and 3.  After doing that, i configure 
the switch to operate the port 24 in 802.1Q mode.  I tell the switch to 
"propagate" VLANs 1,2 and 3 through port 24.

For example on an HP ProCurve switch, use commands:

conf t
VLAN 1
tagged 24
VLAN 2
tagged 24
VLAN 3
tagged 24
quit
wr mem  (saves the config to flash to survive reboots!)


Then, i create VLANs ID 1, 2 and 3 on monowall and assign them to VLAN 
port.  See pictures URLs:


http://img258.imageshack.us/i/monowallvlan1.png/
http://img703.imageshack.us/i/monowallvlan2.png/
http://img440.imageshack.us/i/monowallvlan3.png/
http://img573.imageshack.us/i/monowallvlan4.png/
http://img51.imageshack.us/i/monowallvlan5.png/
http://img87.imageshack.us/i/monowallvlan6.png/


Hope this helped!



-- 
Guy Boisvert, ing.
IngTegration inc.
http://www.ingtegration.com

AVIS DE CONFIDENTIALITÉ : ce message peut contenir des
renseignements confidentiels appartenant exclusivement à
IngTegration Inc. ou à ses filiales. Si vous n'êtes pas
le destinataire indiqué ou prévu dans ce  message (ou
responsable de livrer ce message à la personne indiquée ou
prévue) ou si vous pensez que ce message vous a été adressé
par erreur, vous ne pouvez pas utiliser ou reproduire ce
message, ni le livrer à quelqu'un d'autre. Dans ce cas, vous
devez le détruire et vous êtes prié d'avertir l'expéditeur
en répondant au courriel.

CONFIDENTIALITY NOTICE : Proprietary/Confidential Information
belonging to IngTegration Inc. and its affiliates may be
contained in this message. If you are not a recipient
indicated or intended in this message (or responsible for
delivery of this message to such person), or you think for
any reason that this message may have been addressed to you
in error, you may not use or copy or deliver this message to
anyone else. In such case, you should destroy this message
and are asked to notify the sender by reply email.