[ previous ] [ next ] [ threads ]
 From:  Aaron <lists at mycommunitynet dot net>
 To:  Chris Buechler <cbuechler at gmail dot com>
 Cc:  "'m0n0wall'" <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] Some network configuration help
 Date:  Sat, 2 Oct 2004 23:34:24 -0700
Thanks for the reply. I'm not a pro at this, but it's fun trying to be. 
The service has worked great for people so far and they are using me 
rather than get crappy cable company.

On Oct 2, 2004, at 8:55 PM, Chris Buechler wrote:

> On Sat, 2 Oct 2004 19:44:26 -0700, Aaron <lists at mycommunitynet dot net> 
> wrote:
>> I would like to figure out the best way to
>> 1) Provide NAT'd IP's ( think what I am doing is fine)
> What you're doing is fine there.  If you need more accountability
> (i.e. if somebody abuses their connection, you'll know who did it), go
> with 1:1 NAT on everything.  You could use outbound NAT and DHCP
> reservations to split your customers into pools per public IP.  Then
> if you have a problem, you at least have a better idea who did it, but
> no certainty.
>> 2) Provide public IP addresses to some customers (1:1 or snat?)
> Use 1:1 NAT for that.  Make sure you assign a DHCP reservation to the
> LAN IP address.  Otherwise some other machine could pick up that IP
> from DHCP and would have that 1:1 mapping.

I think I will just map the 1:1 to IP's outside of the DHCP range. Then 
I can give people an IP to use for a "public" ip.. I haven't had to 
deal with any security problems, so accountability is not a huge 
problem as of now.

>> 3) Be able to view the DSL Modem statistics by going to web
>> configuration page (
>>         - DSL Modem is bridged, but can be reached via on 
>> ethernet
>> port.
Would I have to assign some kind of route or give the WAN port another 
IP that lies in the address range? I can't get to the DSL 
modem even though I have block private networks turned off. The WAN IP 
of the monowall is not an RFC 1918 address...it's public. How would 
mono know how to get to the dsl modem?

> That should work if you turn off block private networks on the WAN
> interface page.
>> 4) What if anything should I use OPT1/DMZ for?
> You could segregate some of your customers onto a separate interface.
> That way they couldn't talk to each other's machines, which could be a
> major security issue for them if they don't use appropriate
> firewalling.  You could also use VLAN's if you have a capable switch,
> and put each customer on their own VLAN and don't route between them.
> That'd be the ideal setup.
>> P.S. If anyone is curious, I am scrapping my 1.1/1.1 SDSL provider in
>> favor of ADSL. The SDSL has a nasty feature of getting very high ping
>> times when it is < 50% loaded. Pings will go to 200-400ms to the dsl
>> gateway even with traffic shaping. The ADSL 3/768 is slower upstream,
>> but I can pull or push near the max  bandwidth and ping remain fairly
>> stable.
> When < 50% loaded?  I'm guessing you mean > 50%.  That sounds like a
> cruddy ISP, sounds like you aren't getting what you're paying for.
> The ADSL should have issues with load (on upload) more than SDSL,
> since ADSL is asynchronous.  Fill your upload and your latency is
> going to be 200-800+ ms.  Traffic shaping will help that.
No, I mean less...it gets pretty crappy once it hits 50% utilization 
and is not good at all long before than. The ADSL is FAR better and 
will push much closer to it's limits without affecting everybody than 
the SDSL does...and it costs almost 3x as much!! I'll take the hit on 
upstream as long as the ADSL proves to be as stable.