VLAN woes (by alaric)
At our house, we have three LANs; the external one, which is connected to the ADSL router and has a range of six public IPs; the internal one, which is joined to the external one via a NAT router (so using a single public IP) and contains my workstations and the fileserver; and the guest one, which is bridged to wireless Ethernet - and also joined to the external network via the NAT router.
Now, since I've not cabled the place yet, the physical layout of the network is dictated by the lengths of the cables I have. The ADSL router is at one end of the building, near the phone sockets, while the workstations are right at the very other end of the building. Therefore, the NAT router is in the airing cupboard, roughly in the middle of the building; my longest cables reach from the ADSL router to the NAT router, and from the NAT router to a switch in the office from with the workstations and server connect; and the wireless bridge sits in the airing cupboard along with the NAT router.
Even when I have structured cabling in place, I don't want to be having to cable three separate LANs around the house anyway; the natural solution is to use VLANs. That way, you can have switches joined by single-cable trunks, and those trunks carry all of the LANs in one; at each switch, you can either configure a port to connect to a specified VLAN, or configure the port to use IEEE 802.1Q tagging to connect a machine that understands it, in which case that machine can join whichever VLANs it is allowed using the single cable. This saves on the cabling a great deal.
By Ben, Tue 16th Jan 2007 @ 8:30 am
Is OpenBSD's pf in the mix? If so, you might want a line like
scrub out on $if max-mss 1440
or something.