[ previous ] [ next ] [ threads ]
 From:  Joe Lagreca <lagreca at gmail dot com>
 To:  Fred Wright <fw at well dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: Re: Re: [m0n0wall] How to subnet OPT1 and still offer DHCP for each subnet?
 Date:  Thu, 19 Aug 2004 22:16:14 -0700
Yes, thanks for posting this to the list (my mistake).  

On Thu, 19 Aug 2004 18:06:51 -0700 (PDT), Fred Wright <fw at well dot com> wrote:
> I presume you meant this to go to the list.
> Contrary to what someone else posted, you can't make this work by using
> the shorter netmask on the m0n0wall, because it needs to have a
> "presence" in each subnet to be seen by the clients.  Sometimes there's a
> way around this with routing entries on the clients, but that's probably
> too much hassle.
> What you want is to add aliases to the LAN for the additional
> subnets.  For example:
>        Primary LAN IP:
>        Alias:
>        Alias:
>                etc.
> Then each client machine gets 10.1.x.y/24, where 2<=y<=254.  (Using .1 for
> the router isn't required, it's just customary).
> While m0n0wall doesn't have direct support for IP aliases (it uses the
> term "alias" to mean something entirely different), you can set it up with
> the <shellcmd> facility in the config.  E.g. (in the <system> section):
>        <shellcmd>ifconfig sis0 alias</shellcmd>
>        <shellcmd>ifconfig sis0 alias</shellcmd>
> where the "sis0" should be the name of the LAN interface.

My OPT1 interface should look like this:

Should my first command (this is in the config.xml file correct???)
look like this:
<shellcmd>ifconfig xl2 alias</shellcmd>
or like this:
<shellcmd>ifconfig opt1 alias</shellcmd>

I have an idea of what all this does, but please check it over and let
me know if its the right idea:

This will basicly bind an IP address to the OPT1 interface.  So I will
just bind as many IP's to the OPT1 interface as I have
subnets/clients?  Then on the client end, make their gateway the IP
that I have binded for them to OPT1?  Will all of the subnets bound to
OPT1 have to follow the rules applied in the firewall for OPT1?

How about traffic shaping?  Will I be able to shape each individual
subnet or only OPT1 as a whole?

Configured as stated above, if a windows machine on subnet 1 were to
go to their network neighborhood, they would only see other machines
on subnet 1 and not on any other subnet (because broadcast traffic is
only within their subnet)?  However if they specifically put in an IP
address on another subnet they would have access to it?

> It should be possible to configure firewall rules to control routing
> between the subnets, but by default everything will be passed by the
> default LAN rule.  And of course it doesn't prevent the subnets from
> communicating directly, with what's usually a simple routing entry, so
> don't count on this setup for security.

Again, please correct my logic of the security portion of this idea:

I can create rules on the firewall to prevent each subnet from talking
to each other.  However if a user on another subnet adds a routing
entry on their end to allow them access to one of the other subnets I
cannot stop them?

Thanks very much for this idea.  I have been looking all over for
subnetting ideas today and have not been able to make sense of any of
them.  Assuming my understanding of your idea/solution is correct, I
think this will work perfectly for my needs.

When I hear back from you telling me if I am correct in my thinking, I
will implement this on my home m0n0 as a test.

Fred, thanks for taking the time to explain this stuff to me.  I
really appreciate it.