Hi. I'm jon.404, a Unix/Linux/Database/Openstack/Kubernetes Administrator, AWS/GCP/Azure Engineer, mathematics enthusiast, and amateur philosopher. This is where I rant about that which upsets me, laugh about that which amuses me, and jabber about that which holds my interest most: *nix.
/30 ftw!
Posted 06-16-2013 at 08:31 PM by rocket357
So, one of my big fears on my home network is a virus outbreak. Granted, my wife is an incredibly paranoid web surfer, and in the 12 years we've been together there has been just one virus issue (and that was after our niece used her computer to surf some "ooh, I'm a vampire...I sparkle!" type of social sites). Sigh.
So, why the rekindled fear? My daughter is old enough to start using the internet, and she hasn't had time to build up the same paranoia that her mother has.
Subnetting to the rescue!
On my 2948G, I've configured 2 separate /30's...we'll call them vlan4 and vlan5. (This particular switch is running an ancient version of CatOS, so adjust as required for more modern Cisco machines...)
set vlan 4 name jody_windows
set vlan 5 name jayda_windows
set vlan 4 2/3
set vlan 5 2/4
show vlan (verify everything took)
Now to setup the firewall/dhcp server...
Pop in a few new addresses on vlan interfaces on the firewall:
echo "inet 192.168.4.1 255.255.255.252 NONE vlan 4 vlandev fxp0" > /etc/hostname.vlan4
echo "inet 192.168.4.5 255.255.255.252 NONE vlan 5 vlandev fxp0" > /etc/hostname.vlan5
sh /etc/netstart
/etc/rc.d/dhcpd restart
On the windows machines:
ipconfig /release (just in case)
ipconfig /renew
Verify addresses and see the following:
Saweet...
But wait...I can't ping 8.8.8.8 from the Windows machines!
Blarg...need to add new rules to pf.conf to allow traffic from the new vlans...
Now just to test a few things...
On Jody-desktop:
ping 8.8.8.8 # works
ping 192.168.1.1 # doesn't work
ping 192.168.4.6 # doesn't work
On Jayda-desktop:
ping 8.8.8.8 # works
ping 192.168.1.1 # doesn't work
ping 192.168.4.2 # doesn't work
Yay! No windows-windows communication on my home network! Woot!
Now I just need to add listen directives for vlan4 and vlan5 to unbound.conf, and I'm all set =)
So, why the rekindled fear? My daughter is old enough to start using the internet, and she hasn't had time to build up the same paranoia that her mother has.
Subnetting to the rescue!
On my 2948G, I've configured 2 separate /30's...we'll call them vlan4 and vlan5. (This particular switch is running an ancient version of CatOS, so adjust as required for more modern Cisco machines...)
set vlan 4 name jody_windows
set vlan 5 name jayda_windows
set vlan 4 2/3
set vlan 5 2/4
show vlan (verify everything took)
Now to setup the firewall/dhcp server...
Code:
subnet 192.168.4.0 netmask 255.255.255.252 {
option routers 192.168.4.1;
option domain-name-servers 192.168.4.1;
group {
next-server 192.168.1.4;
filename "pxelinux.0";
host jody-desktop {
hardware ethernet uu:vv:ww:xx:yy:zz;
fixed-address 192.168.4.2;
}
}
}
subnet 192.168.4.4 netmask 255.255.255.252 {
option routers 192.168.4.5;
option domain-name-servers 192.168.4.5;
group {
next-server 192.168.1.4;
filename "pxelinux.0";
host jayda-desktop {
hardware ethernet aa:bb:cc:dd:ee:ff;
fixed-address 192.168.4.6;
}
}
}
echo "inet 192.168.4.1 255.255.255.252 NONE vlan 4 vlandev fxp0" > /etc/hostname.vlan4
echo "inet 192.168.4.5 255.255.255.252 NONE vlan 5 vlandev fxp0" > /etc/hostname.vlan5
sh /etc/netstart
/etc/rc.d/dhcpd restart
On the windows machines:
ipconfig /release (just in case)
ipconfig /renew
Verify addresses and see the following:
Code:
Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : j3z.local IPv4 Address . . . . . . . . . . : 192.168.4.6 Subnet Mask . . . . . . . . . . : 255.255.255.252 Default Gateway. . . . . . . . . : 192.168.4.5
But wait...I can't ping 8.8.8.8 from the Windows machines!
Blarg...need to add new rules to pf.conf to allow traffic from the new vlans...
Code:
jody_if=vlan4
jayda_if=vlan5
jody = "{ 192.168.4.0/30 }"
jayda = " {192.168.4.4/30 }"
# default allows...(i.e. the pxeboot server...)
pass quick on $jody_if from any to 192.168.1.4
pass quick on $jayda_if from any to 192.168.1.4
# inter-vlan blockage!
block drop quick on $jody_if from any to $lan
block drop quick on $jayda_if from any to $lan
block drop quick on $jody_if from any to $jayda
block drop quick on $jayda_if from any to $jody
# pass traffic that isn't inter-vlan?
pass quick on $jody_if proto {tcp,udp} from any to any set prio 7
pass quick on $jayda_if proto {tcp,udp} from any to any set prio 5
# nat stuff
pass out on $ext_if from $jody to any nat-to ($ext_if)
pass out on $ext_if from $jayda to any nat-to ($ext_if)
On Jody-desktop:
ping 8.8.8.8 # works
ping 192.168.1.1 # doesn't work
ping 192.168.4.6 # doesn't work
On Jayda-desktop:
ping 8.8.8.8 # works
ping 192.168.1.1 # doesn't work
ping 192.168.4.2 # doesn't work
Yay! No windows-windows communication on my home network! Woot!
Now I just need to add listen directives for vlan4 and vlan5 to unbound.conf, and I'm all set =)
Total Comments 1
Comments
-
Sitting in ICND1 class today and the instructor brings up subnetting and how easy it is (I'm typing this because umm, I finished all the subnetting exercises and I'm waiting for the others to finish).
Yup, I'd have to agree with him on that assessment.Posted 07-15-2013 at 03:06 PM by rocket357 
