[ previous ] [ next ] [ threads ]
 
 From:  "Bryan Brayton" <bryan at sonicburst dot net>
 To:  "Fred Wright" <fw at well dot com>, <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: Re: [m0n0wall] How to subnet OPT1 and still offer DHCP for each subnet?
 Date:  Thu, 19 Aug 2004 21:56:21 -0400
Maybe I'm missing something here, but didn't Joe have client routers in
the mix?

So without IP aliases, but with static routes on the m0n0 on the LAN (or
OPT or whatever) pointing at the various internal routers, wouldn't this
work:


    WAN
     |
Joe's M0n0 box
     |
    LAN 10.1.0.1/24
     |
     |
     |----------------------------------------
     |                                       |
Client 1 Router WAN 10.1.0.2/24          Client 2 Router WAN 10.1.0.3/24
     |   (default rt 10.1.0.1)               |    (default rt 10.1.0.1)
     |                                       |
Client 1 Router                          Client 2 Router
     |                                       |
Client 1 Router LAN 10.1.1.1/24          Client 2 Router LAN 10.1.2.1/24
     |                                       |
     |                                       |
     |                                       |
     |                                       |
Client 1 LAN (default gw 10.1.1.1)       Client 2 LAN (default gw
10.1.2.1)


If dynamic routing was supported, you wouldn't have to manually enter
the routes.  You will need firewalling on the client routers to prevent
inter-client communication.

Correct me if I'm wrong.  I'm sure I'll regret that :)

-Bryan

 
-----Original Message-----
From: Fred Wright [mailto:fw at well dot com]
Sent: Thursday, August 19, 2004 9:07 PM
To: m0n0wall at lists dot m0n0 dot ch
Subject: Re: Re: [m0n0wall] How to subnet OPT1 and still offer DHCP for
each subnet?


I presume you meant this to go to the list.

On Thu, 19 Aug 2004, Joe Lagreca wrote:

> VLAN's require supported hardware, I dont know if all of my hardware
> is supported.
>
> Using a different interface for each client doesn't scale well.  What
> happens when I have 10-15 clients?
>
> I think the best way to solve this is with subnetting, however its
> never been one of my strong points.  Maybe someone here can help guide
> me.  The following could ALL be wrong, its just my current guess:
>
> I have set OPT1 up to be 10.1.0.1/16. 
>
> My clients will all connect via/through OPT1.  I would like each
> office on a different subnet.  So client 1 would be 10.1.1.1, and
> client 2 would be 10.1.2.1, etc.  They would all use 10.1.0.1 as their
> gateway to get to the internet.

Contrary to what someone else posted, you can't make this work by using
the shorter netmask on the m0n0wall, because it needs to have a
"presence" in each subnet to be seen by the clients.  Sometimes there's
a
way around this with routing entries on the clients, but that's probably
too much hassle.

What you want is to add aliases to the LAN for the additional
subnets.  For example:

        Primary LAN IP: 10.1.0.1/24
        Alias:          10.1.1.1/24
        Alias:          10.1.2.1/24
                etc.

Then each client machine gets 10.1.x.y/24, where 2<=y<=254.  (Using .1
for
the router isn't required, it's just customary).

While m0n0wall doesn't have direct support for IP aliases (it uses the
term "alias" to mean something entirely different), you can set it up
with
the <shellcmd> facility in the config.  E.g. (in the <system> section):

        <shellcmd>ifconfig sis0 alias 10.1.1.1/24</shellcmd>
        <shellcmd>ifconfig sis0 alias 10.1.2.1/24</shellcmd>

where the "sis0" should be the name of the LAN interface.

It should be possible to configure firewall rules to control routing
between the subnets, but by default everything will be passed by the
default LAN rule.  And of course it doesn't prevent the subnets from
communicating directly, with what's usually a simple routing entry, so
don't count on this setup for security.

                                        Fred Wright


---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch






________________________________

avast! Antivirus <http://www.avast.com> : Outbound message clean. 

Virus Database (VPS): 0434-1, 08/17/2004
Tested on: 8/19/2004 9:56:21 PM
avast! - copyright (c) 2000-2004 ALWIL Software.