[ previous ] [ next ] [ threads ]
 From:  Brian Lloyd <brian at lloyd dot com>
 To:  Daniel Jokinen <daniel dot jokinen at linford dot se>
 Cc:  "m0n0wall at lists dot m0n0 dot ch" <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] VLANs with seperate WANs
 Date:  Wed, 13 Nov 2013 09:43:30 -0600
On Wed, Nov 13, 2013 at 9:07 AM, Daniel Jokinen
<daniel dot jokinen at linford dot se>wrote:

> I'm telling you, I've been staring at this problem for so long now that I
> swear my brain has turned into a routing policy :) From the research I've
> done, and from what you guys have gathered I have these ideas:
> 1. Connect the two existing routers and static route them to talk to each
> other.
> Benefit: Cheap and simple
> Drawback: Clients can reach each others network. Unacceptable

That seems to be a simple one to solve. Just put the printer on its own
subnet and allow access from both client networks but not to the client
networks. This policy can be instituted with a private subnet and firewall

> 2. Connect the two existing routers to a third router and restrict access
> between client networks in the "middle" network (where the MFP sits)
> Benefit: Fairly cheap and simple
> Drawback: Crude, but efficient, to quote Seven-of-nine

That works too but you don't really need a third router.

3. Buy a PFSense appliance with 5 ports (or a computer with 5 ports)
> Benefit: Great control, less units to supervise and definitely a more
> stable solution, also allows each network their own WAN
> Drawback: Costly, and probably time-consuming since I've never done
> anything like it before

Hmm, pfSense is free-to-use like m0n0wall is. And it will run on the same
hardware. OK, so you get a cast-off PC and shove a bunch of NICs in. And if
your ethernet switches support 802.1q VLANs, you can use one physical port
on your m0n0wall devices to create multiple subnet connections. That is
what I do in my house. My m0n0wall device has only two physical ports but I
run several VLANs to segregate traffic and allow me to have different rules
for each subnet on a VLAN.

> 4. Use a mono appliance (or similar) with 3 ports and setup access rules
> Benefit: Somewhat cheap, otherwise as example 3
> Drawback: Networks will share WAN. Unacceptable

Well, three ports *is* easy. And two cast-off PCs to run two different
copies of m0n0wall is pretty cheap.

I guess I am not seeing why this is a difficult problem to solve. But I
have come late-to-the-table.

> 5. Install a printserver and enable IPP
> No.
> No.


> I also found out a more or less slaying fact today. One of the WAN
> connections is actually tunneled with IPSEC to the customers head office,
> and apparently I can't mess with that. Which means I can't change anything
> in that network. Which leaves me with the only choice I get; No 2 (as long
> as I can at least get into the IPSEC router and setup static routing
> rules). Unless I overlooked something.
> > And for those of you who like internet history stuff, I can tell you a
> policy routing horror story
> Do tell!

Heh again. Is there general consensus that it would be a reasonable
consumption of bandwidth here to tell the story of how I melted down the
NSFnet 20 years ago?

Brian Lloyd, WB6RQN/J79BPL
706 Flightline Drive
Spring Branch, TX 78070
brian at lloyd dot com