Re: WAP setup problems

2008-02-06 Thread Brian Richardson 

Stefan Kell wrote:

some other questions: why a bridge and why not simple router with pf? What is 
your bridge configuration?

  

vr0 is internal interface. ral0 is wireless interface.

brconfig bridge0 add ral0
brconfig bridge0 add vr0
brconfig bridge0 rulefile /etc/bridge0.rules

/etc/bridge0.rules:

pass in on ral0 src 11:de:ad:be:ef:11
pass out on vr0 dst 11:de:ad:be:ef:11
block in/out on ral0

As to why the bridge? I'm not aware of any other way to use MAC 
filtering to limit access to the external interface.


Regards,
Brian

Re: WAP setup problems

2008-02-06 Thread Brian Richardson 

James Hartley wrote:

PF can be used to filter on a bridge.  See Section 6.9 of the FAQ for
an example.

  


I saw the tagging example. But I'm having trouble seeing how it can be 
applied simply to DHCP traffic. I want to limit the number of rules I 
use, so I use simple pass in/out with explicit block rules.


Regards,
Brian

Re: WAP setup problems

2008-02-05 Thread Brian Richardson 

Stefan Kell wrote:

Did you try using one shared-network with two different subnets? You can
find an example within man dhcpd.conf.

Yes, I did, with the same effect.

Brian

WAP setup problems

2008-02-04 Thread Brian Richardson 

Hi,

Here's my problem and my current understanding:

I have 3 interfaces in my WAP box, external, internal and wireless.

I'd like to have MAC filtering for addresses with access to the external 
network, but allow guests to connect to the wireless network to help 
with copying files around in the same room.


I need to run dhcpd on both the internal interface and the wireless 
interface as guests might not have wireless. ALL clients on the wireless 
network MUST use DHCP to obtain their address.


My dhcpd.conf is as follows:

--
shared-network LOCAL-NET {
   option domain-name example.org;
   option domain-name-servers 192.168.1.1;

   subnet 192.168.1.0 netmask 255.255.255.0 {
   option routers 192.168.1.1;
   range 192.168.1.32 192.168.1.127;
   }

   host laptop {
   hardware ethernet 00:de:ad:be:ef:00;
   fixed-address 192.168.1.10;
   }
}

shared-network WIRELESS-NET {
   option domain-name example.org;
   option domain-name-servers 192.168.1.1;

   subnet 192.168.2.0 netmask 255.255.255.0 {
   option routers 192.168.2.1;
   range 192.168.2.32 192.168.2.127;
   }

   host laptop-wireless {
   hardware ethernet 11:de:ad:be:ef:11;
   fixed-address 192.168.2.10;
   }
}
--

So, the problem is that dhcpd listens on both ends of the bridge that 
would be used for MAC filtering. DHCPDISCOVER requests are acknowledged 
on both interfaces, and the wireless client will receive a random 
address from either the internal or wireless network. laptop does not 
consistently receive its fixed address. I understand why this is so, as 
the DHCPDISCOVER/DHCPOFFER packets cannot be filtered in BPF. HOWEVER, I 
have been unable to find dhcpd configuration which will prevent the 
request from being processed on both interfaces. If I turn off the 
bridge, I lose the MAC filtering. Is there any way I can have the setup 
I desire? Not all registered MAC addresses will have a fixed-address, so 
I can allow a guest access to the external network by simply adding 
their MAC address to the bridge.


Thanks,
Brian