wireless subnet
Denis Vlasenko
vda
Sat Apr 24 11:06:12 PDT 2004
On Saturday 24 April 2004 18:45, Computer Abet & Trade wrote:
> Tnx Denis,
>
> ok, I'll try better now
>
> client's gateway
> mode:managed wlan0 mode:managed
> 192.168.2.3 <-------(192.168.2.2 AP 192.168.1.2)<------ 192.168.1.1
> 192.168.2.4 ^ eth0 |
> 192.168.2.5 | |
> ... | |
>
> 192.168.2.1 +-{ shaper, }<-+ 192.168.1.3
> proxy,
> dns, ...
>
> so, client has gateway 192.168.2.1, and PC (shaper, dns, proxy) has gateway
> 192.168.1.1 connection between eth0 of AP and Shaper is ONE UTP cable
> through switch
>
> AP
>
>
> 192.168.2.1 -[switch]- 192.168.1.3
>
> BENEFIT of this:
> - our AP is holding main-link and user's access
> - one AP less (from antenna to nic, utp cable...)
>
> SECURITY problem:
> - user can access to main-link-gateway
> - link and users are using same SSID
Give _each_ client and gateway his own subnet
(these subnets can be as small as 4-ip addr).
Set up routing so that packets are properly routed
between these tiny subnets.
Disallow AP bridging by
iwpriv $if bridge_packets 0
Your AP will no longer bridge packets beween clients
and between any client and gateway.
Now, clients can't reach gateway via AP bridge, but
routing will still allow them to do the trick.
Add some appropriate iptables rules to disallow
that.
See my previous picture on how it would look like.
> I'm working on that right now, but need some help in theory...
> ... practical news about this in next 48h, ...
>
> thanks to everyone,
> Nesa
--
vda
More information about the Hostap
mailing list