Vinay, Thanks for the reply :)
Yes, I had thought of that alternative, the problem with it is that the DHCP servers on the WiFi APs are quite dumb. IOW, they just give out IPs on a specified range without any other considerations. My intention is to have *two* networks on the WiFi. One with the registered machines (thru their MACs) and the other for the 'others' (unknown MACs). And then, based on this two networks the MNF can have the necessary rules to route or stop traffic between the three different networks... For example: INT - ZONE - IP RANGE - eth2 - wired - 192.168.1.0/24 - Wired Network eth1 - wifi_reg - 192.168.2.0/24 - Trusted Wireless eth1 - wifi_free - 192.168.3.0/24 - Non-trusted Wireless So, the DHCP would first discriminate on the interface, so any machine requesting on eth2 would be given a 'wired' IP network. On the other hand, when a request comes from eth1, I know the MAC address of the machines I trust, so based on that (and if I have read the docs right) I would give it a 'wifi_reg' address. If it's an unknown MAC then the IP would be in the 'wifi_free' network and the firewall would block it out of my'wired' & 'wifi_reg' networks. As for the WEP, yup, I already have it in place (together with some rudimentary access control based on MAC) - thanks :) BTW, is it possible to have multiple WEP keys active? I mean, some NICs support 64 & 128, but not 256 bit-keys... does that force me to have a lowest-common-denominator-security set to a 128 bit just because one NIC doesn't support a 256 bit key? Cheers, Xavier On Tue, 22 Feb 2005 13:25:39 -0500, Vinay Shukla <[EMAIL PROTECTED]> wrote: > Xavier, > > If I had to do what you are talking about, I would implement the > solution as follows: > > Firewall - eth0 => WAN/ADSL Modem > Firewall - eth1 => Wireless Router/AP - the router set up to provide > DHCP - Linksys/Dlink etc all do this. > Firewall - eth2 => LAN/ Internal secure users for Wireless. Have this be > the one where MNF provides the DHCP services. > > Also on your internal Wireless set up security including WEP or other > encryption. This will keep all your free-riders from accessing any > resources on the LAN while still getting access via a different > interface to the WAN. > > My 2 cents. > Vinay. > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Xavier > Alvarez > Sent: Tuesday, February 22, 2005 11:54 AM > To: [email protected] > Subject: [Security Firewall] Re: MNF and DHCP customization > > No takers on this? Not even a "please explain further" comment? Am I > missing something too obvious? > > A bit lost, > Xavier > > On Wed, 9 Feb 2005 12:26:24 +0100, Xavier Alvarez > <[EMAIL PROTECTED]> wrote: > > Hi people! > > > > I have a (newbie) question regarding DHCP in MNF. > > > > My network configuration is rather default, without DMZ: > > > > Firewall - eth0 => WAN | ADSL modem > > Firewall - eth1 => (none yet) > > Firewall - eth2 => LAN | switch > > > > The ADSL modem has a built-in firewall in default configuration and > > runs a DHCP server for the 10.0.0.0/8 network, where there are only > > two IPs used statically (the ADSL and the Firewall) allowing the > > patching of a machine outside the MNF. > > > > The problem is that on the LAN I have wireless APs and some free > > riders... I don't care too much about them using the WAN, but I do > > care about them snooping my LAN. Also, I don't want to completely > > lock the WiFi, since I have incomming roaming laptops that would need > > to access the WAN with the least configuration possible. > > > > What I was thinking (have no clue about its feasibility though) was to > > > put the wireless APs on eth1. And activate the DHCP on that > > interface. First problem, MNFs DHCP can only be set on only one > > interface... and want to keep it on eht2. > > > > The second step in this grand plan-scheme, and if I read the DHCP > > stuff correctly is to configure two distinct networks on that > > interface. One, say 192.168.0.0/24, with my trusted wireless machines > > > (based on their MACs) and another (172.16.0.0/12) for the unknowns. > > > > This splitting would allow me to create specific rules allowing > > traffic to my wired network only from trusted wireless, while allowing > > > untrusted wireless to surf the web without access to my wired network. > > > > The rationale (security-wise) is that if a free-rider bumps onto my > > wireless network, the DHCP will give a non-trusted IP to it and the > > firewall will block out my LAN to it. A would-be hacker-snooper, > > would probably think that the AP was left on by mistake and since he > > has access to the web, will not spend too much time trying to find my > > wired network. But if a trusted MAC does bump in, it'll be able to > > communicate with the wired network. > > > > So my question is: can this be done? within MNF or it'll break it? > > Hints or ideas on how? > > > > Cheers, > > Xavier > > > > > ____________________________________________________ > Want to buy your Pack or Services from MandrakeSoft? > Go to http://www.mandrakestore.com > Join the Club : http://www.mandrakeclub.com > ____________________________________________________ > > >
____________________________________________________ Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com ____________________________________________________
