System: OpenBSD 3.2 +latest security patches applied. Dual Linksys TX100
Nics. One connected to DSL modem, one connected to LAN. PF configured to
NAT my internal network.
My nextdoor neighbor gave me a Cisco 350 wireless access point so he
could hijack some of my bandwidth. I agreed but want to maintain control.
Here are my questions:
1) Initially I have thought about setting up a vlan on my internal Nic
for the network I will assign to the wireless segment. Is this preferred
over assigning an alias with ifconfig?
Considering the gear, I would personally go with a VLAN. It makes for a clean separation of networks on the same physical interface, which is what you're after.
2) To restrict things a bit I was going to cfg the WAP to grab an IP from
DHCP and I was going to configure DCHP for this segment to be limited to
two addresses (with something equivalent to a 255.255.255.254 subnet
mask).
255.255.255.252 to allow for IP network and broadcast space.
3) I would like to augment my pf ruleset to block traffic from the
wireless segment to the wired (and maybe vice versa0. It seems, at least
conceptually, that this will be easier to do if I go the VLAN route vs.
adding an alias but again I really don't know. Any thoughts?
I agree.
4) I assume with either case I will need to extend my NAT rule to NAT this new traffic from the VLAN (or alias)?
Yes.
5) Lastly it seems like the pf man page and HOWTO use the notation /N following an IP address to indicate which octets matter (i.e. 192.168.1.0/24 means the last three octets). Is this correct?
That is known as CIDR notation. The N refers to the number of significant bits for the mask. See this page for a decent explanation, just ignore the IRC-specific stuff: http://ircd-hybrid.org/docs/CIDR.txt
So, If hypothetically I defined some things in my pf.conf: EXT="ep1" INT="ep0" LAN="192.168.1.0/24" VLAN="192.168.2.0/24"
Could I stipulate that my VLAN network address was 192.168.2.10 with a netmask of 255.255.255.254 and would the similar notation, VLAN="192.168.2.10/24"
still be valid (for the two hosts 192.168.2.10 and .11?
Not quite. As I mentioned above, that space needs to be expanded to 4 addresses to allow for IP broadcast. For the netmask to work, it will need to be on an address boundary divisible by 4. So, something like 192.168.2.8/30, making .9 and .10 your usable addresses.
