|
Recently I bought a HP Procurve Wireless Access Point, which allows for broadcasting 8 different SSIDs and (obviously for security reasons) transfer clients to 8 different VLANs. Since my current clients use certificates to authenticate themselves (to a Radius-server), and I don't wanna issue a new certificate everytime a guest comes around, I got the idea to split up my internal network into 2 VLANs. Here's how I did it.
So the first thing I needed was a managed switch. The company I work for had a whole truck load of unused Nortel Baystack switches (since all switches had been replaced by Cisco's), so I got one for free (450-24T). This was my configuration before: 
My internal network was connected to a el-cheapo switch. I had only one network, on which my several servers (2 FreeBSD servers, one VMWare ESX server running 4 Virtual Machines, my HP Procurve wireless access point connection one PC and 3 laptops, and another PC). I gave my internal network 192.168.13.0/24 addresses. For administrative reasons I wanted to keep my servers on that IP slice, since reconfiguring would have to much impact. M0n0wall is running on Soekris 4801 hardware, which has no moving parts at all, so runs very silently. The Soekris 4801 has three network interfaces, of which one is unused in this configuration. So this is the configuration I wanted to achieve: 
In this setup I'm actually using my third interface to connect to the DMZ. I called this VLAN 20, since this subnet (192.168.20.0/24) is connected to the same switch all other VLANs are connected to. Why did I do this? Well, as mentioned above one of my servers is a VMWare ESX server, which supports 802.1q (=VLAN) trunking over its interfaces. If configured correctly, you can assign (virtual) network interfaces to different VLANs. One of my Virtual Machines is going to be my webserver, which obviously will be in VLAN 20. I wanted an Outer DMZ as well (VLAN 10, the part between my m0n0wall and the cable modem). I don't have any IP addresses left in that VLAN, but it'll give me the opportunity to mirror a switch port and install an IDS on that port. But that's still future. My internal network has been divided into two VLANs (30 and 40). Like said before I wanted to keep the IP addresses on my server the same, so VLAN 30 will be 192.168.13.0/24, VLAN 40 will be 192.168.14.0/24. The Nortel configuration is quite easy. You have to do two things: create VLANs and assign ports to that VLAN: 
The ports marked with 'T' are trunked ports. Port 1 is m0n0wall, port 5 my WAP and port 7 my VMWare ESX server. The other thing is to mark ports as either trunked or untrunked: 
Configuring VMWare server, and Procurve WAP wasn't that hard, but the m0n0wall proved to be a challenge (for me that is). With some very good help from the m0n0wall mailing list the solution wasn't that difficult. This is how my LAN interface has been configured: 
I like to assign my default gateways always address 1. The next thing to do is to create the VLANs. This is done in the 'Interfaces (assign)' menu on the left. Just add the VLANs you need (with the correct 802.1q tag) and give it a meaningful description. In my case the 'Parent Interface' is sis0, which is my LAN interface. 
No rocket science here. Pretty straight forward. The next picture shows where I went wrong: 
Normally, the Network port of the LAN interface would have an entry like the one on the WAN interface (in my case: 'sis0 <some mac address>') . I left it that way and of course it didn't work. So the advise I got from the m0n0wall mailing list was to put the LAN interface on one of the VLANs, like I did in the screenshot. What needs to be done next is assigning an IP address to VLAN 40: 
Don't forget to 'enable' the interface, and if you want some usefull purpose for that subnet, add some firewall rules for this subnet. |
