You're right, MAC@ is easy spoofable. I've found this and it looks to be what I want : http://software.newsforge.com/print.pl?sid=05/11/21/175249
It combines L3 isolation before authentication, L2 advantages (same LAN) after authentication (L2 OpenVPN tunnel + bridge with wired LAN), and a good level of security : authentication through authpf and strong ciphering through OpenVPN. Hopes it help, Best regards, Bruno. On 1/15/06, Jonathan Gray <[EMAIL PROTECTED]> wrote: > On Sun, Jan 15, 2006 at 12:10:13PM +0400, Bruno Carnazzi wrote: > > Hi all, > > > > I use an OpenBSD/i386 3.8 as a gateway for routing my residential ADSL > > access. I'm going to use an USB dongle (this is my last externel port > > available :( to provide some Wifi access for some laptops (mainly my > > Powerbook). I'd like it to be secured enough. So, here's some question > > about this : > > > > * What's the best supported wifi chipset "USB-availbale) (ural vs wi vs atu > > ?) > > * What's the best "linking" method : routing (AP) or bridging ? I > > think in AP mode, filtering could be easier (of course, a filtering > > wifi bridge is also possible) ? Is bridging more CPU-friendly (no nat) > > ? (It's only a PII-233 that already share a 2Mbps with an in-kernel > > PPPoE on 2 PCMCIA cards -> lots of interrupts !) > > ural is the only one that works in hostap mode. You will need > USB2 to get full speeds out of it which your PII won't have onboard. > > > * Wireless security : i'd like to use MAC@ filtering (it should be ok) > > and a ciphering technology for privacy. I know OpenBSD doesn't yet > > support WPA. What are some good alternative (in L2 or L3) ? WEP is not > > a solution. Is it possible to use IPSec in transport mode to protect > > this traffic or something else (OpenVPN ?) > > You need to specify what you want. Access control based on MAC addresses > is stupid and can be easily worked around, if you just want > access control that isn't retarded you should look at authpf.
