[ previous ] [ next ] [ threads ]
 
 From:  Daniel Jokinen <daniel dot jokinen at linford dot se>
 To:  "m0n0wall at lists dot m0n0 dot ch" <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] VLANs with seperate WANs
 Date:  Wed, 13 Nov 2013 16:07:02 +0100
I'm telling you, I've been staring at this problem for so long now that I swear my brain has turned
into a routing policy :) From the research I've done, and from what you guys have gathered I have
these ideas:

1. Connect the two existing routers and static route them to talk to each other.
Benefit: Cheap and simple
Drawback: Clients can reach each others network. Unacceptable

2. Connect the two existing routers to a third router and restrict access between client networks in
the "middle" network (where the MFP sits)
Benefit: Fairly cheap and simple
Drawback: Crude, but efficient, to quote Seven-of-nine

3. Buy a PFSense appliance with 5 ports (or a computer with 5 ports)
Benefit: Great control, less units to supervise and definitely a more stable solution, also allows
each network their own WAN
Drawback: Costly, and probably time-consuming since I've never done anything like it before

4. Use a mono appliance (or similar) with 3 ports and setup access rules
Benefit: Somewhat cheap, otherwise as example 3
Drawback: Networks will share WAN. Unacceptable

5. Install a printserver and enable IPP
No.
No.

I also found out a more or less slaying fact today. One of the WAN connections is actually tunneled
with IPSEC to the customers head office, and apparently I can't mess with that. Which means I can't
change anything in that network. Which leaves me with the only choice I get; No 2 (as long as I can
at least get into the IPSEC router and setup static routing rules). Unless I overlooked something.

> And for those of you who like internet history stuff, I can tell you a policy routing horror story

Do tell!

/Daniel