[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: NEWBIE: alias or vlan?
On Sunday, Mar 30, 2003, at 15:04 US/Pacific, s c o t t wrote:
System: OpenBSD 3.2 +latest security patches applied. Dual Linksys
Nics. One connected to DSL modem, one connected to LAN. PF configured
NAT my internal network.
My nextdoor neighbor gave me a Cisco 350 wireless access point so he
could hijack some of my bandwidth. I agreed but want to maintain
Here are my questions:
1) Initially I have thought about setting up a vlan on my internal Nic
for the network I will assign to the wireless segment. Is this
over assigning an alias with ifconfig?
Considering the gear, I would personally go with a VLAN. It makes for
a clean separation of networks on the same physical interface, which
is what you're after.
2) To restrict things a bit I was going to cfg the WAP to grab an IP
DHCP and I was going to configure DCHP for this segment to be limited
two addresses (with something equivalent to a 255.255.255.254 subnet
255.255.255.252 to allow for IP network and broadcast space.
3) I would like to augment my pf ruleset to block traffic from the
wireless segment to the wired (and maybe vice versa0. It seems, at
conceptually, that this will be easier to do if I go the VLAN route vs.
adding an alias but again I really don't know. Any thoughts?
4) I assume with either case I will need to extend my NAT rule to NAT
this new traffic from the VLAN (or alias)?
5) Lastly it seems like the pf man page and HOWTO use the notation /N
following an IP address to indicate which octets matter (i.e.
192.168.1.0/24 means the last three octets). Is this correct?
That is known as CIDR notation. The N refers to the number of
significant bits for the mask. See this page for a decent
explanation, just ignore the IRC-specific stuff:
So, If hypothetically I defined some things in my pf.conf:
Could I stipulate that my VLAN network address was 192.168.2.10 with a
netmask of 255.255.255.254 and would the similar notation,
still be valid (for the two hosts 192.168.2.10 and .11?
Not quite. As I mentioned above, that space needs to be expanded to
4 addresses to allow for IP broadcast. For the netmask to work, it
will need to be on an address boundary divisible by 4. So, something
like 192.168.2.8/30, making .9 and .10 your usable addresses.