On Wed, 27 Aug 2003, Greg Sims wrote:
> Let's see if I can give you a better idea of the goal here ...
> We'd like to have two subnets called: "equipment" and "client".
Using multiple subnets on the same physical interface gives you all the
connectivity of separate links and all teh security of a single link. :-)
> The equipment subnet has all the network equipment attached. The addresses
> on this subnet will be statically assigned. The subnet will have no
> bandwidth limitations. m0n0wall needs to be part of this subnet for web
> The clients attach to the client subnet. The addresses on this subnet need
> to be DHCP as the client population changes from day to day. We will give
> everyone on the subnet the same bandwidth limitation.
Both DHCP and bandwidth allocation can be done on address blocks which are
unrelated to subnets.
> The equipment and client subnets will both use m0n0wall as their gateway.
> m0n0wall will use the WAN NIC to attach to the Internet. There will be no
> routing between the equipment and client subnets to keep them as separate as
If "separate" is for security reasons, then forget it. There's no
security on Ethernet. If it's for bandwidth reasons, then you've still
got something physically shared, with nothing other than "following the
rules" to keep something from being a hog.
The only straightforward way to set this up as proposed would be to give
the m0n0wall IP addresses in both subnets. This is supported by the
underlying software, but AFAIK m0n0wall doesn't support interface aliases.
There are other ways involving additional routing entries, but that
requires setup on other machines as well as the router.
> I would like to do this with two NICs if possible but I am willing to use
> three NICs if this is the only way with m0n0wall.
That's the only way you'll get them truly "separate", regardless of