[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NEWBIE: alias or vlan?

On Sunday, Mar 30, 2003, at 15:04 US/Pacific, s c o t t wrote:

System: OpenBSD 3.2 +latest security patches applied. Dual Linksys TX100
Nics. One connected to DSL modem, one connected to LAN. PF configured to
NAT my internal network.

My nextdoor neighbor gave me a Cisco 350 wireless access point so he
could hijack some of my bandwidth. I agreed but want to maintain control.

Here are my questions:
1) Initially I have thought about setting up a vlan on my internal Nic
for the network I will assign to the wireless segment. Is this preferred
over assigning an alias with ifconfig?

Considering the gear, I would personally go with a VLAN. It makes for a clean separation of networks on the same physical interface, which is what you're after.

2) To restrict things a bit I was going to cfg the WAP to grab an IP from
DHCP and I was going to configure DCHP for this segment to be limited to
two addresses (with something equivalent to a subnet
mask). to allow for IP network and broadcast space.

3) I would like to augment my pf ruleset to block traffic from the
wireless segment to the wired (and maybe vice versa0. It seems, at least
conceptually, that this will be easier to do if I go the VLAN route vs.
adding an alias but again I really don't know. Any thoughts?

I agree.

4) I assume with either case I will need to extend my NAT rule to NAT
this new traffic from the VLAN (or alias)?


5) Lastly it seems like the pf man page and HOWTO use the notation /N
following an IP address to indicate which octets matter (i.e. means the last three octets). Is this correct?

That is known as CIDR notation. The N refers to the number of significant bits for the mask. See this page for a decent explanation, just ignore the IRC-specific stuff: http://ircd-hybrid.org/docs/CIDR.txt

So, If hypothetically I defined some things in my pf.conf:

Could I stipulate that my VLAN network address was with a
netmask of and would the similar notation,

still be valid (for the two hosts and .11?

Not quite. As I mentioned above, that space needs to be expanded to 4 addresses to allow for IP broadcast. For the netmask to work, it will need to be on an address boundary divisible by 4. So, something like, making .9 and .10 your usable addresses.