Just think out loud here, Jaime, since you asked for "any other idea".
Usually, you can set up a LAN so that it will route all packets through the
firewall, even the ones that stay on the LAN ... -BUT- usually there is no
way to force the LAN's users to use the firewall as their exclusive route.
One way to do this is to have every host on a /32 network, with a
point-to-point route to the router's LAN-side IP address. You also need to
have your iptables ruleset constructed to pass (acceptable) packets that go
from one LAN address to another, but it sound like you have that part under
control. This works (I've done it, though with ipchains, for limited
tests), but it is inefficient (every packet traverses the network twice,
and 4 Mb is pretty slow for a LAN already, if it offers anything much in
the way of on-LAN services) and does not provide the security you want.
The reason it does not provide the desired security is that there is no way
for a router to control packets that are not routed through it, a. There is
(usually) no way to force LAN hosts to route local packets through the
router, since this decision is controled by each host's routing table. If a
client ignores the instruction to use a /32 or /31 netmask and instead uses
/24 (or whatever would be appropriate to the IP address range in use), then
the packets will go directly to the destination and not pass through the
router.
At least the router itself cannot stop this sort of bypassing; I don't know
if the wireless bridge can (and from what you say, neither do you). And in
any case, if LAN traffic can be sniffed (this basically depends on whether
the LAN connects through a hub or a switch, and I expect your WAP acts like
a hub for this purpose), an intruder can still sniff it no matter how it is
routed.
The only way I can think of to do what you want (that is, protect the users
of a wireless LAN from one another) is to provide encrypted tunnels between
each LAN host and the router. Without a lot more information about the LAN
and its hosts, I don't know how practical this is.
BTW, if you want to use dedicated /31 address pairs for each host, ppp
style, then one way to do it is to assign private addresses locally, then
use static NAT to associate each client's private IP address with a
specific public address. The only downside of this (that I can think of) is
for certain P2P apps that need to know their public IP addresses (because
they report it in the application layer for some reason), and those apps
usually have workarounds for this sort of situation.
At 06:05 PM 11/10/02 +0100, Jaime Nebrera Herrera wrote:
Hi all,
We are planning to use LEAF Bering to provide shared Internet access to a
whole home area. The Internet access will be provided by a 4Mb radiofrecuency
access to SKN. Internally, all the users will use wireless devices to access
a wireless bridge then the firewall the internet. All users will have a
public IP all in the same IP range.
OK, this is quite easy to setup, and its allready done (with QoS too). The
problem comes when we want to do it in a more privatelly way. I dont know yet
how the wirelles access point behaves as we have been contracted just for the
"firewall side" but if we can, we would like to protect users form each other
even if that device does it too. The main reason is we dont know yet if the
wireless device is capable of rouing a packet form one user to the other user
or it has to go through the firewall.
In the second case is quite easy, as we would just set up the
corresponding
firewall rules to separate the different users. The problem comes if this
device has "more intelligence" and tries to send the package by itself.
Is more or less the same situation cable providers have but in
wireless. We
have tried o asign a 255.255.255.255 netmask but it doesnt work (funn with
ppp it does work).
Any ideas? Please remember to use the fewer IP as possible as we have to
pay for them :( The first choice was to provide by DHCP pairs of IP that with
the correct mask make a 2 computer network but this uses a lot of IP and
forces as to set uo the firewall with a lot of virtual IP in the internall
interface. Any other idea?
--
---"Never tell me the odds!"
Ray Olszewski -- Han Solo
Palo Alto, California, USA [EMAIL PROTECTED]
---
---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html