[ previous ] [ next ] [ threads ]
 From:  Fred Wright <fw at well dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: Re: [m0n0wall] How to subnet OPT1 and still offer DHCP for each subnet?
 Date:  Thu, 19 Aug 2004 18:06:51 -0700 (PDT)
I presume you meant this to go to the list.

On Thu, 19 Aug 2004, Joe Lagreca wrote:

> VLAN's require supported hardware, I dont know if all of my hardware
> is supported.
> Using a different interface for each client doesn't scale well.  What
> happens when I have 10-15 clients?
> I think the best way to solve this is with subnetting, however its
> never been one of my strong points.  Maybe someone here can help guide
> me.  The following could ALL be wrong, its just my current guess:
> I have set OPT1 up to be  
> My clients will all connect via/through OPT1.  I would like each
> office on a different subnet.  So client 1 would be, and
> client 2 would be, etc.  They would all use as their
> gateway to get to the internet.

Contrary to what someone else posted, you can't make this work by using
the shorter netmask on the m0n0wall, because it needs to have a
"presence" in each subnet to be seen by the clients.  Sometimes there's a
way around this with routing entries on the clients, but that's probably
too much hassle.

What you want is to add aliases to the LAN for the additional
subnets.  For example:

	Primary LAN IP:

Then each client machine gets 10.1.x.y/24, where 2<=y<=254.  (Using .1 for
the router isn't required, it's just customary).

While m0n0wall doesn't have direct support for IP aliases (it uses the
term "alias" to mean something entirely different), you can set it up with
the <shellcmd> facility in the config.  E.g. (in the <system> section):

	<shellcmd>ifconfig sis0 alias</shellcmd>
	<shellcmd>ifconfig sis0 alias</shellcmd>

where the "sis0" should be the name of the LAN interface.

It should be possible to configure firewall rules to control routing
between the subnets, but by default everything will be passed by the
default LAN rule.  And of course it doesn't prevent the subnets from
communicating directly, with what's usually a simple routing entry, so
don't count on this setup for security.

					Fred Wright