[ previous ] [ next ] [ threads ]
 
 From:  "Assinatura de Listas" <assinarlistas at yahoo dot com dot br>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Res: RE: [m0n0wall] Routable IP setup - please help!
 Date:  Thu, 2 Oct 2003 08:11:52 +0100 (GMT Daylight Time)
Please, look at my previous question.... Does the answer you have given to
Aeron 
Robinson apply to my question too?? If it does, how can I "assign 2 public
adresses to m0n0wall 
(1 to the WAN and one to the LAN interface), which have to be in 2 different
subnets"? Can you 
show me steps? And how can I use m0n0wall in bridge mode (steps)?? 
 
Thank you, 
 
Cristian 
 
-------Mensagem original------- 
 
De: Christiaens Joachim 
Data: Wednesday, October 01, 2003 23:41:42 
Para: 'Aaron Robinson '; 'm0n0wall at lists dot m0n0 dot ch ' 
Assunto: RE: [m0n0wall] Routable IP setup - please help! 
 
Hi Aaron, 
 
if you're using routable ip's you can enable enhanced NAT and don't create 
any specific rules. This leaves NAT out of the picture, because you don't 
need (or even want) it. 
 
If you want to do the public address routing, you will have to assign 2 
public adresses to m0n0wall (1 to the WAN and one to the LAN interface), 
which have to be in 2 different subnets (a bonus would be to be able to put 
your isp's router in bridging mode, so you could use its 'outside' public 
adress for the WAN interface). 
 
If you cannot change the ISP's router config, then maybe you should use the 
m0n0wall in bridging mode (with the patch), so you will not loose your 
precious public IP's in an unusable subnet outside your firewall. 
 
To stop people from using a non-assigned but valid address, the only thing 
you can do is block all traffic in firewall rules for these adresses, but 
that wouldn't prevent a user from 'stealing' a registered address from 
somebody else (who'se PC is off for example). A switch supporting VLANs 
would help, but then again, it would get a mess to maintain. Another 
solution is PPTP, but you will need authentication, which you would like to 
avoid, as I undestand. 
 
DHCP and ip configuration for the clients will be very simple. 
Just put your ISP's router as a gateway in m0n0wall, and all traffic will 
find it's way (as the m0n0wall will be the default gateway for your 
clients)... 
 
I don't know hpna, so there I cannot assist you... 
 
Regards, 
Joachim 
 
-----Original Message----- 
From: Aaron Robinson 
To: m0n0wall at lists dot m0n0 dot ch 
Sent: 1/10/03 22:39 
Subject: [m0n0wall] Routable IP setup - please help! 
 
Hello. I've used m0n0wall personally for a bit and like it. It runs 
great on my P133 with 32MB RAM. However I now have a larger project 
that I am trying to help with. I am new to routing and am sure I am 
asking a simple question. If anyone has some recommended resources 
where I could learn more about what I'm asking, I would appreciate it. 
 
I am trying to set up a network that will have routable IP's. I will 
have a block of 16 initially and more after I figure things out. It 
will be for internet access at the condominiums where I live. 
Unfortunately my experience with networks is limited and I have never 
used a network where I had more than 1 IP. The LAN portion has always 
been NAT'd. 
 
What I am tying to figure out is how I would set up something like 
m0n0wall for routable IP addresses. Everything i've worked with in the 
past has been with NAT. I want to be able to assign people routable 
IP's via DHCP. What would the m0n0wall LAN IP be? DO I use the 
m0n0wall computer as the "router" IP on all client machines? I'm not 
quite sure how I would direct all traffic through the m0n0wall. 
 
Network topology is cat5 to all of the buildings and then HPNA into the 
units. The HPNA concentrator is essentially a switch where I can turn 
on/off units but not much more. There are 40 units total and our 
connection is a 1.1Mb SDSL line. DSL router is an Efficient Networks 
Speedstream model 5851. 
 
ISP 
| 
DSL router 
| 
m0n0wall (not implemented yet) 
| 
Switch 
------------------------------------- 
| | | | 
hpna1 hpna2 hpna3 hpna4 
||||||| |||||||| |||||||| |||||||| 
individual units 
 
 
So what I am looking to have it do is 
 
1) Stop people from using certain ports (25 is one) 
2) Limit bandwidth. (looks easy enough in the shaping. Are there 
implications?) 
3) Assign static DHCP addresses (seems easy) 
4) Block people from putting multiple computers on without registering 
them. 
- I don't care about someone with a box doing NAT....I just don't 
 
want people using up IP's. Can I prevent them from just putting in a 
good (for our network) but unused address? Or how would I prevent an IP 
to be assigned to someone who hasn't registered their IP? I don't want 
to have people sign in or anything... 
5) Any suggestions on what we could/should do to make things more 
secure or operate more smoothly? 
 
I don't want to NAT people since they will be paying for service. 
However we don't want to allow people to run mail servers etc. and 
perhaps should block a few well known p2p ports. This would be possible 
with routable IP's correct? Do I just leave NAT off? Will I be using 
static routes? I'm really not sure how this would look. If anyone was 
willing to share some knowledge to get me started in the right 
direction, I would appreciate it. 
 
I can send beer :) 
 
Thanks! 
Aaron 
 
 
----------------------------------------------- 
MISSION STATEMENT 
----------------------------------------------- 
Oce enables its customers to manage their documents efficiently and 
effectively by offering innovative print and document management products 
and services for professional environments. 
 
----------------------------------------------- 
DISCLAIMER 
----------------------------------------------- 
This e-mail message and any attachment are intended for the sole use of the 
recipient(s) named above and may contain information which is confidential 
and/or protected by intellectual property rights. 
Any use of the information contained herein (including, but not limited to, 
total or partial reproduction, communication or distribution in any form) by
 
other persons than the designated recipient(s) is prohibited. 
 
If you have received this e-mail in error, please notify the sender either 
by telephone (0032-2-729.48.11) or by e-mail and delete the material from 
any computer. 
Oce-Belgium/Oce-Interservices is nor responsible for the correct and 
complete transfer of the contents of the sent e-mail, neither for the 
receipt on due time. This e-mail message does not bring about a contractual 
obligation for Oce-Belgium/Oce-Interservices. 
 
Thank you for your cooperation. 
 
For further information about Oce-Belgium/Oce-Interservices please see our 
website at www.oce.be 
 
----------------------------------------------- 
 
 
 
--------------------------------------------------------------------- 
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch 
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch 
.