[ previous ] [ next ] [ threads ]
 
 From:  "Frans J King" <kingf1 at cs dot man dot ac dot uk>
 To:  "'Fred Wright'" <fw at well dot com>
 Cc:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] Two Lan Subnets / One with DHCP Server
 Date:  Wed, 27 Aug 2003 19:51:01 +0100
> Both DHCP and bandwidth allocation can be done on address blocks which
are
> unrelated to subnets 

Indeed but I think Greg is looking for physically separate subnets which
I far as I know means 3 NICS. 

Regards,

Frans


-----Original Message-----
From: Fred Wright [mailto:fw at well dot com] 
Sent: 27 August 2003 19:47
To: m0n0wall at lists dot m0n0 dot ch
Subject: RE: [m0n0wall] Two Lan Subnets / One with DHCP Server


On Wed, 27 Aug 2003, Greg Sims wrote:

> Let's see if I can give you a better idea of the goal here ...
> 
> We'd like to have two subnets called: "equipment" and "client".

Using multiple subnets on the same physical interface gives you all the
connectivity of separate links and all teh security of a single link.
:-)

> The equipment subnet has all the network equipment attached.  The
addresses
> on this subnet will be statically assigned.   The subnet will have no
> bandwidth limitations. m0n0wall needs to be part of this subnet for
web
> access.
> 
> The clients attach to the client subnet.  The addresses on this subnet
need
> to be DHCP as the client population changes from day to day.  We will
give
> everyone on the subnet the same bandwidth limitation.

.

> The equipment and client subnets will both use m0n0wall as their
gateway.
> m0n0wall will use the WAN NIC to attach to the Internet.  There will
be no
> routing between the equipment and client subnets to keep them as
separate as
> possible.

If "separate" is for security reasons, then forget it.  There's no
security on Ethernet.  If it's for bandwidth reasons, then you've still
got something physically shared, with nothing other than "following the
rules" to keep something from being a hog.

The only straightforward way to set this up as proposed would be to give
the m0n0wall IP addresses in both subnets.  This is supported by the
underlying software, but AFAIK m0n0wall doesn't support interface
aliases.

There are other ways involving additional routing entries, but that
requires setup on other machines as well as the router.

> I would like to do this with two NICs if possible but I am willing to
use
> three NICs if this is the only way with m0n0wall.

That's the only way you'll get them truly "separate", regardless of
software.

					Fred Wright



---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch