LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Blogs > Musings on technology, philosophy, and life in the corporate world
User Name
Password

Notices

Hi. I'm a Unix Administrator, mathematics enthusiast, and amateur philosopher. This is where I rant about that which upsets me, laugh about that which amuses me, and jabber about that which holds my interest most: Unix.
Rate this Entry

/30 ftw!

Posted 06-16-2013 at 09:31 PM by rocket357

So, one of my big fears on my home network is a virus outbreak. Granted, my wife is an incredibly paranoid web surfer, and in the 12 years we've been together there has been just one virus issue (and that was after our niece used her computer to surf some "ooh, I'm a vampire...I sparkle!" type of social sites). Sigh.

So, why the rekindled fear? My daughter is old enough to start using the internet, and she hasn't had time to build up the same paranoia that her mother has.

Subnetting to the rescue!

On my 2948G, I've configured 2 separate /30's...we'll call them vlan4 and vlan5. (This particular switch is running an ancient version of CatOS, so adjust as required for more modern Cisco machines...)

set vlan 4 name jody_windows
set vlan 5 name jayda_windows
set vlan 4 2/3
set vlan 5 2/4

show vlan (verify everything took)

Now to setup the firewall/dhcp server...

Code:
subnet 192.168.4.0 netmask 255.255.255.252 {
    option routers 192.168.4.1;
    option domain-name-servers 192.168.4.1;

    group {
        next-server 192.168.1.4;
        filename "pxelinux.0";
        host jody-desktop {
            hardware ethernet uu:vv:ww:xx:yy:zz;
            fixed-address 192.168.4.2;
        }
    }
}

subnet 192.168.4.4 netmask 255.255.255.252 {
    option routers 192.168.4.5;
    option domain-name-servers 192.168.4.5;

    group {
        next-server 192.168.1.4;
        filename "pxelinux.0";
        host jayda-desktop {
            hardware ethernet aa:bb:cc:dd:ee:ff;
            fixed-address 192.168.4.6;
        }
    }
}
Pop in a few new addresses on vlan interfaces on the firewall:

echo "inet 192.168.4.1 255.255.255.252 NONE vlan 4 vlandev fxp0" > /etc/hostname.vlan4
echo "inet 192.168.4.5 255.255.255.252 NONE vlan 5 vlandev fxp0" > /etc/hostname.vlan5

sh /etc/netstart

/etc/rc.d/dhcpd restart

On the windows machines:

ipconfig /release (just in case)
ipconfig /renew

Verify addresses and see the following:

Code:
Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix . : j3z.local
   IPv4 Address . . . . . . . . . . : 192.168.4.6
   Subnet Mask  . . . . . . . . . . : 255.255.255.252
   Default Gateway. . . . . . . . . : 192.168.4.5
Saweet...

But wait...I can't ping 8.8.8.8 from the Windows machines!

Blarg...need to add new rules to pf.conf to allow traffic from the new vlans...

Code:
jody_if=vlan4
jayda_if=vlan5
jody = "{ 192.168.4.0/30 }"
jayda = " {192.168.4.4/30 }"

# default allows...(i.e. the pxeboot server...)
pass quick on $jody_if from any to 192.168.1.4
pass quick on $jayda_if from any to 192.168.1.4

# inter-vlan blockage!
block drop quick on $jody_if from any to $lan
block drop quick on $jayda_if from any to $lan
block drop quick on $jody_if from any to $jayda
block drop quick on $jayda_if from any to $jody

# pass traffic that isn't inter-vlan?
pass quick on $jody_if proto {tcp,udp} from any to any set prio 7
pass quick on $jayda_if proto {tcp,udp} from any to any set prio 5

# nat stuff
pass out on $ext_if from $jody to any nat-to ($ext_if)
pass out on $ext_if from $jayda to any nat-to ($ext_if)
Now just to test a few things...

On Jody-desktop:

ping 8.8.8.8 # works
ping 192.168.1.1 # doesn't work
ping 192.168.4.6 # doesn't work

On Jayda-desktop:

ping 8.8.8.8 # works
ping 192.168.1.1 # doesn't work
ping 192.168.4.2 # doesn't work

Yay! No windows-windows communication on my home network! Woot!

Now I just need to add listen directives for vlan4 and vlan5 to unbound.conf, and I'm all set =)
Posted in Uncategorized
Views 1583 Comments 1
« Prev     Main     Next »
Total Comments 1

Comments

  1. Old Comment
    Sitting in ICND1 class today and the instructor brings up subnetting and how easy it is (I'm typing this because umm, I finished all the subnetting exercises and I'm waiting for the others to finish).

    Yup, I'd have to agree with him on that assessment.
    Posted 07-15-2013 at 04:06 PM by rocket357 rocket357 is offline
 

  



All times are GMT -5. The time now is 02:30 AM.

Main Menu
Advertisement

Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration