From owner-freebsd-questions@FreeBSD.ORG Tue Jul 6 04:35:11 2010 Return-Path: Delivered-To: freebsd-questions@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B5E68106564A for ; Tue, 6 Jul 2010 04:35:11 +0000 (UTC) (envelope-from dkelly@hiwaay.net) Received: from bee.hiwaay.net (bee.hiwaay.net [216.180.54.11]) by mx1.freebsd.org (Postfix) with ESMTP id 5F97D8FC13 for ; Tue, 6 Jul 2010 04:35:11 +0000 (UTC) Received: from [10.0.0.7] (dynamic-24-42-224-110.knology.net [24.42.224.110] (may be forged)) (authenticated bits=0) by bee.hiwaay.net (8.13.8/8.13.8) with ESMTP id o664Z9Hh1503299 (version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=NO); Mon, 5 Jul 2010 23:35:10 -0500 (CDT) Message-Id: <0726A68C-724F-435B-A2C5-2BDA9BEAE6E0@hiwaay.net> From: David Kelly To: Steve Bertrand In-Reply-To: <4C3263B7.9020705@ipv6canada.com> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v936) Date: Mon, 5 Jul 2010 23:35:09 -0500 References: <20100705165746.GB10990@Grumpy.DynDNS.org> <4C3263B7.9020705@ipv6canada.com> X-Mailer: Apple Mail (2.936) Cc: freebsd-questions@FreeBSD.org Subject: Re: VLANs is this right? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Jul 2010 04:35:11 -0000 On Jul 5, 2010, at 5:59 PM, Steve Bertrand wrote: > On 2010.07.05 12:57, David Kelly wrote: >> On Mon, Jul 05, 2010 at 10:16:19AM -0600, Modulok wrote: >>> >>> Criteria: >>> - HostA must never directly talk to HostB. >>> - Both hostA and hostB have an Internet connection. >>> >>> What I have to work with: >>> proCurve switch which supports VLANs. >>> 2x Intel NICs in FreeBSD which support VLANs. >> >> Am thinking you are approaching it the wrong way. > > I wasn't going to, but I'd like to respond to your post. In no way > am I > attempting to knock the fact that you tried to help, I'd just like to > clarify a few things... > > My personal belief is that the OP is approaching this in the best > possible way. > >> Not familiar with the specifics of a ProCurve switch but that's a >> high >> end unit, not a Netgear. I would expect you could configure the >> switch >> to disallow the MAC addresses from talking to each other of hostA and >> hostB. > > I would expect a residential-grade NetGear be configured in such a > way, > not a higher-end switch. Generally a residential SOHO Netgear switch is unmanaged and not configurable. Sometimes this grade of gear gets confused when one moves a host from one port to another that it must be power cycled to clear the error from its MAC tables. >> Furthermore, it would be even easier to disallow hostB from within >> hostA's firewall. And do the same at hostB. > > Easier if you have 2-10 machines, that are not laptops, and never get > replaced. > > Your expectations are not scalable, nor do they provide a network-wide > solution. If the OPs network grows to 200 vlans with 15k hosts, > maintaining such a setup is no where near feasible. This is why the > 'higher-end' gear allows such functions. I didn't hear "scalable" in the specification, only hostA, hostB, one ProCurve, and one FreeBSD gateway/router connected to the internet. > By putting users (ie. client systems, or even business functional > units) > into vlans, security policies can be enacted in one fell swoop (one > ACL, > aka firewall rule) within the device they access the other portions of > the network. As long as the switch (which you have control over) encapsulates a specific port to a VLAN then you are correct in that VLAN is the best way. But if one must configure the untrusted host to only speak VLAN then one doesn't have the desired security. -- David Kelly N4HHE, dkelly@HiWAAY.net ======================================================================== Whom computers would destroy, they must first drive mad.