[ previous ] [ next ] [ threads ]
 
 From:  Brian Lloyd <brian at lloyd dot com>
 To:  "m0n0wall at lists dot m0n0 dot ch" <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] VLANs with seperate WANs
 Date:  Wed, 13 Nov 2013 08:36:16 -0600
On Wed, Nov 13, 2013 at 2:08 AM, Daniel Jokinen
<daniel dot jokinen at linford dot se>wrote:

> > why not put the printer into a dmz that can be reached from both subnets?
>
> Because there is no connectivity between the two networks today, at all.
> Your idea would work, but I first need to connect the two networks.
>

That does seem to be a good solution. I have had to use it in the past. And
if there is no good way to get direct connectivity you can tunnel between
the two networks internal subnets using IPSEC. That is useful for sharing
private address space between geographically-separated facilities. Just
make sure to use traffic-shaping to prioritize the printer traffic that has
to traverse the tunnel so it doesn't impact latency-sensitive traffic.

But it would also be nice to be able to set up policy forwarding rules too.
In a statically-routed environment such as what we have with most
small-to-medium-sized enterprises you may actually want to forward to
different networks based on source address or other data contained in the
IP, transport, or application header. I was able to do that in IPv4
networks using Riverstone's routers (Riverstone was acquired by Lucent).
They used the same packet inspection engine to not only make
forward/don't-forward decisions (firewall), but also where to forward and
how much to forward, which made it useful for traffic shaping,
load-balancing, inverse multiplexing, policy routing, etc. And because it
used content-addressable memory to do the packet inspection, the routers
could do all this at wire speed. But with enough processing power one could
do this in software if one were doing it for only a few ports.

And for those of you who like internet history stuff, I can tell you a
policy routing horror story from the early days of the transition from the
government-funded NSFnet to the commercial Internet of today. Interesting,
sort-of funny, and a bit hair-raising at the same time. I participated and
sort-of caused the problem. ;-)

-- 
Brian Lloyd, WB6RQN/J79BPL
706 Flightline Drive
Spring Branch, TX 78070
brian at lloyd dot com
+1.916.877.5067