[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: VLANs on a Debian firewall

Just a thought, but since the external IPs are *likely* going to be in the
same class C the host byte could be your primary key.  It's small enuff to
give each fierwalled server it's own class C in the Class B range
(192.170.<external host byte>.<any remaining host bits(up to 7)>), Still
leaving you with 192.168 for clients.

This would clear up any L3 problems. You could even use that byte for your
vlan tying L2 alltogether nicely.  There is also room for more than 256 of
these if vlan permits.

--- Kresimir Sparavec <kreso@usa.net> wrote:
> Sean,
> the main complexity in your setup will probably come from the
> fact that you want to use VLANs on firewall machines. That means
> you need one virtual interface per VLAN (that is the only way
> known to me to get packets tagged on layer 2). Of course, that
> also means you have to deal which each and every one of these
> interfaces on layer 3 (routing and firewalling). Any solution
> which hopes to scale with the growing number of VLANs has to solve
> this problem. I'm working on the very similar setup to yours and
> I still do not see a simple and elegant way to deal with this
> problem. Of course, if the number of networks is limited to three
> or four, then you won't have too much trouble (actually, in that
> case I would rather use separate physical interfaces instead of
> VLANs).
> The second problem is that netfilter does not offer connection
> tracking synchronization features present in expensive commercial
> products. That is usually not the problem because much of the
> traffic is single request-response (think HTTP), but when one
> machine goes down, the state information gets lost. Anyway,
> you still can build a pretty nice solution with keepalived
> or heartbeat.
> Kresimir

Do you Yahoo!?
Vote for the stars of Yahoo!'s next ad campaign!

Reply to: