[ previous ] [ next ] [ threads ]
 From:  Hilton Travis <Hilton at QuarkAV dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] DHCP, LAN, OPT1, and DNS Forwarder
 Date:  Wed, 05 May 2004 19:31:54 +1000
Hi all,

On Wed, 2004-05-05 at 07:34, Hilton Travis wrote:
> Hi All,
> I think this may have been discussed before, but I think it still needs
> to be looked at...
> I recently reconfigured my home network so that my own machines run off
> the LAN interface on my net4501-m0n0wall firewall, and my flatmates run
> off the OPT1 interface.  This was done for two main reasons: a) ensure
> that their machines have no access to mine (run the interfaces in
> non-bridged mode on different networks), and b) make the traffic shaping
> rules easier to handle.
> In its original configuration I had enabled the DNS Forwarder to route
> all DNS traffic through the caching DNS Server on the m0n0wall itself,
> resulting in less traffic over the WAN connection (bugger all, I know,
> but less is more) and faster DNS response times due to the DNS cache
> being held on my local LAN.
> As I now have DHCP enabled on the LAN as well as the now used OPT1
> interface, having "DNS Forwarder" enabled breaks the DNS resolution of
> all computers on the OPT1 interface as the DHCP Server assigns the LAN
> IP Address as the OPT1 DNS Server.  This is wrong, as there's no traffic
> allowed from the OPT1 into the LAN as should be the case on any firewall
> with a DMZ.
> What I've had to do is to uncheck the DNS Forwarder which disables it
> for both the LAN and the OPT1 interfaces.  I would like it to be still
> present for at least the LAN interface.  Ultimately, I'd like to be able
> to have DNS Forwarder checked, and for m0n0wall to either pass the LAN
> IP to its LAN segment in DHCP and its OPT1 IP to its OPT1 segment in
> DHCP, or as an alternate to this, allow the LAN IP to be assigned to the
> LAN machines via DHCP, and the entered/obtained DNS Server IP to be
> assigned to the OPT1 machines via DHCP.
> Any thoughts, comments?

Responding to your own post is poor form, but...

Another issue I have seen with the change of my network configuration as
mentioned above is that a lot of the traffic on the OPT1 interface - the
traffic for my flatmates - is seriously laggy, and some - especially
http - is flaky as hell.  Flaky to the point of sites timing out left,
right and center, images refusing to load, and also games lagging so
badly its almost like you are playing on Mandrax.

Any ideas why this is the case with OPT1?  I think that until I can sort
this issue out, I'll have to bring them all back onto LAN and just
firewall them out on each of my own machines.



Hilton Travis                   Phone: +61-(0)7-3343-3889
Manager, Quark AudioVisual      Phone: +61-(0)419-792-394
         Quark Computers         http://www.QuarkAV.com/
(Brisbane, Australia)            http://www.QuarkAV.net/

Open Source Projects:		http://www.ares-desktop.org/

Non Linear Video Editing Solutions & Digital Audio Workstations
 Network Administration, SmoothWall Firewalls, NOD32 AntiVirus
  Conference and Seminar AudioVisual Production and Recording

War doesn't determine who is right. War determines who is left.