Hi, I am trying to offer internet access for a neighbour and I think the optimum way to do this is to drop his traffic in as a vlan on our network, but I''m still finding my feet on the basics The scenario is this: Our Office internal: 192.168.1.0/24 Firewall sees this as bridge br0 consisting of eth0 and wlan0 eth0 exits to a mid level switch which supports vlan capabilities and the rest of the office is connect External we have a public IP range (for simplicity): 1.1.1.0/28 Our upstream gateway is 1.1.1.1 Our firewall on eth1 has IP 1.1.1.2 All traffic is natted from br0 out onto eth1: 1.1.1.2 Our neighbour presents as a wired ethernet connection into our office. We want to offer him IP 1.1.1.3 All traffic to/from 1.1.1.3 gets passed in and onto him. However, we desire to be able to offer firewall services and QOS on his connection. He will receive only a single IP and he is responsible for using NAT, etc to manage his private machines behind that IP. (ie he is adding some simple firewall/router in his premises) Can I do this with my current configuration, ie br0 internal + eth1 external? Neither internal network should see each other for obvious reasons, the only meeting point can be external traffic. I obviously also wish to minimise spoofing problems and problems on my network due to my neighbour doing something stupid/malicious with his router. My firewall does have a third eth port, but I''m trying to keep a standard config on the box which would exclude the use of this extra port. Thanks for suggestions on the best way to implement such a strategy. I *think* what I''m trying to achieve will be something like putting the neighbour on a vlan on our switch, then hanging this off eth0/br0, and presumably I need proxy arp to get the data across? Is this about right? Note we may offer similar service to two other offices here, so I want to get the basics sorted on this office first (we are the only building with decent internet in the area...) Thanks Ed W ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk
Robert K Coffman Jr. -Info From Data Corp.
2013-Sep-26 12:36 UTC
Re: Basic VLAN question...
Ed, Not sure it is the best way, but I would do it this way: Add additional internal interface (192.168.2.0?) for his connection to your firewall. His device would plug in there. Add additional external IP for masq/nat for his network to your external interface. Another strategy would be for you to control his firewall device, and block any traffic from his network to yours, but allowing anything else. - Bob ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk