Impossible in the GUI, yes. People have hacked in extra subnets on an interface using exec.php after told what I said above, then have other consequences because m0n0wall is not designed to work that way.
Fair enough.
From a security perspective, you have no control over what someone could do with those public IP addressed systems if compromised.
We are an ISP. From a security perspective most ISPs have limited control over what their customers are doing with their public IP addresses. There has been some debate in the media lately over common carrier status, and I think it's fair to say that this is a double-edged sword. ISPs for the most part have stayed out of the content debate, and while we do what is reasonably within our power to safeguard the security of our users' machines, we cannot be responsible for their total security, nor would the average user want so many imposed constraints. All our customers to date have 10.0 NAT addresses. To put our 10.0 customers in a broadcast domain with our (pending) 66.x customers, while perhaps ugly, as you put it, imperils their security no more than to give them all a public IP address, it would seem to me. Correct me if I'm wrong.
Adding an alias on the private subnet would be easy, and would expose your entire network.
I have already added an alias on the LAN interface for unrelated purposes, as discussed on the lists in March. This serves to operate a read-only, LAN-only subnet with no NAT privileges. I have much to learn at this networking game, and I still fail to see exactly how another alias would accomplish what I am attempting/asking about herewith.
Putting the second subnet on a second broadcast domain, whether a VLAN, or preferably an OPT interface with a dedicated switch, really doesn't change anything other than giving you a cleaner, more secure network. They would have to route through m0n0wall to communicate between each other anyway, even on the same broadcast domain.
Whereas it is impossible (or at the very least
grossly impractical) to physically separate my 10.0/16 subnet from my 66.x.x/27 subnet, i.e., to put them on separate broadcast domains; and whereas to "expose [my] entire network", as you say, would be to put them in no greater peril than what any other ISP does for its customers, I'll respectfully accept your caution and restate my question:
What I have:
10.0/16 [LAN] -- || mono || -- [WAN] 66.x.x.2/27
What I need:
10.0/16 --
|
|| mono || -- [WAN] 66.x.x.2/27 ---- 66.x.x.1
|
66.x.x/27--
Now unless I have grossly misunderstood the NAT section in the manual, this is a trivial and healthy thing to do with an OPT1 interface. Acknowledging that I cannot create a separate broadcast domain for my new subnet, and an additional NIC is therefore superfluous, I endeavor to accomplish this via my existing 2-NIC monowall.
What must I do to make this happen? If you think it would be imprudent to post some guidelines in the forum, then please, by all means email me.
Fow what it's worth, I can almost infer from your post what needs to be done. Maybe a wink and a nod will suffice if I'm not far off:
[LAN]em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=b<RXCSUM,TXCSUM,VLAN_MTU>
inet 10.0.0.1 netmask 0xffff0000 broadcast 10.0.255.255
[alias] inet 66.x.x.3 netmask 0xffffffe0 broadcast 66.x.x.31
[WAN]nve0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 66.x.x.2 netmask 0xffffffe0 broadcast 66.x.x.31
Add outbound NAT for 10.0/16, firewall rules and proxy ARP for 66.x.x/27 and we're done. Yes? I'm still not sure about my proposed ifconfig. Thanks for your help.
db
m0n0wall Forum > m0n0wall Support (English) > Firewall/NAT
Topic: NAT & non-NAT hosts on a single LAN interface?