No takers on this? Not even a "please explain further" comment? Am I missing something too obvious?
A bit lost, Xavier On Wed, 9 Feb 2005 12:26:24 +0100, Xavier Alvarez <[EMAIL PROTECTED]> wrote: > Hi people! > > I have a (newbie) question regarding DHCP in MNF. > > My network configuration is rather default, without DMZ: > > Firewall - eth0 => WAN | ADSL modem > Firewall - eth1 => (none yet) > Firewall - eth2 => LAN | switch > > The ADSL modem has a built-in firewall in default configuration and > runs a DHCP server for the 10.0.0.0/8 network, where there are only > two IPs used statically (the ADSL and the Firewall) allowing the > patching of a machine outside the MNF. > > The problem is that on the LAN I have wireless APs and some free > riders... I don't care too much about them using the WAN, but I do > care about them snooping my LAN. Also, I don't want to completely > lock the WiFi, since I have incomming roaming laptops that would need > to access the WAN with the least configuration possible. > > What I was thinking (have no clue about its feasibility though) was to > put the wireless APs on eth1. And activate the DHCP on that > interface. First problem, MNFs DHCP can only be set on only one > interface... and want to keep it on eht2. > > The second step in this grand plan-scheme, and if I read the DHCP > stuff correctly is to configure two distinct networks on that > interface. One, say 192.168.0.0/24, with my trusted wireless machines > (based on their MACs) and another (172.16.0.0/12) for the unknowns. > > This splitting would allow me to create specific rules allowing > traffic to my wired network only from trusted wireless, while allowing > untrusted wireless to surf the web without access to my wired network. > > The rationale (security-wise) is that if a free-rider bumps onto my > wireless network, the DHCP will give a non-trusted IP to it and the > firewall will block out my LAN to it. A would-be hacker-snooper, > would probably think that the AP was left on by mistake and since he > has access to the web, will not spend too much time trying to find my > wired network. But if a trusted MAC does bump in, it'll be able to > communicate with the wired network. > > So my question is: can this be done? within MNF or it'll break it? > Hints or ideas on how? > > Cheers, > Xavier >
____________________________________________________ Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com ____________________________________________________
