Xavier, There would be two wireless networks each with a SSID - say "trusted: and "untrusted". Once you have these, the machines connecting via wireless will show two wireless networks available. If the user's preference is the trusted network (wifi_reg), they have the WEP and other security qualifications, so they have the tools to connect via the trusted net. Others will not have these settings so they will connect to the wifi_free.
I already use a wifi setup however I have assigned the networks a subset meaning wired = 10.1.1.1 - 10.1.1.100 and the wireless 10.1.1.101 - 10.1.1.200. This way I have one network to be concerned with and not have to use the MNF to route between networks. You do realize that whenever you have two networks 192.168.1.x and 192.168.2.x a router has to be involved in routing between the networks - MNF has to get involved. By keeping it on one net, MNF has zero load for data going from the wireless to the wired. The only reason you may want to use the router/firewall is to block certain ports but why would you do that for your trusted users anyway? As far as the DHCP goes, by virtue of restricting the wireless network that they are connecting to, you will have discriminated which IP address to serve. On the WEP keys, it all depends on the wireless AP you are using. If you are using the basic ones available anywhere, then you can get two and set them up on the same net: wifi_free_1 services 256 byte on 192.168.3.1, wifi_free_2 services 128 byte on 192.168.3.2 and the available nets are 192.168.3.10 - 100 on wifi_free_1 and 192.168.3.101 - 200 on wifi_free_2. One thing to note, is that I am looking at the simplest solution since if I am putting a system in place, it has to work correctly, and have the fewest support calls possible. Hope this helps. Good Luck. Vinay. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Xavier Alvarez Sent: Wednesday, February 23, 2005 5:26 AM To: [email protected] Subject: Re: [Security Firewall] Re: MNF and DHCP customization Vinay, Thanks for the reply :) Yes, I had thought of that alternative, the problem with it is that the DHCP servers on the WiFi APs are quite dumb. IOW, they just give out IPs on a specified range without any other considerations. My intention is to have *two* networks on the WiFi. One with the registered machines (thru their MACs) and the other for the 'others' (unknown MACs). And then, based on this two networks the MNF can have the necessary rules to route or stop traffic between the three different networks... For example: INT - ZONE - IP RANGE - eth2 - wired - 192.168.1.0/24 - Wired Network eth1 - wifi_reg - 192.168.2.0/24 - Trusted Wireless eth1 - wifi_free - 192.168.3.0/24 - Non-trusted Wireless So, the DHCP would first discriminate on the interface, so any machine requesting on eth2 would be given a 'wired' IP network. On the other hand, when a request comes from eth1, I know the MAC address of the machines I trust, so based on that (and if I have read the docs right) I would give it a 'wifi_reg' address. If it's an unknown MAC then the IP would be in the 'wifi_free' network and the firewall would block it out of my'wired' & 'wifi_reg' networks. As for the WEP, yup, I already have it in place (together with some rudimentary access control based on MAC) - thanks :) BTW, is it possible to have multiple WEP keys active? I mean, some NICs support 64 & 128, but not 256 bit-keys... does that force me to have a lowest-common-denominator-security set to a 128 bit just because one NIC doesn't support a 256 bit key? Cheers, Xavier On Tue, 22 Feb 2005 13:25:39 -0500, Vinay Shukla <[EMAIL PROTECTED]> wrote: > Xavier, > > If I had to do what you are talking about, I would implement the > solution as follows: > > Firewall - eth0 => WAN/ADSL Modem > Firewall - eth1 => Wireless Router/AP - the router set up to provide > DHCP - Linksys/Dlink etc all do this. Firewall - eth2 => LAN/ Internal > secure users for Wireless. Have this be the one where MNF provides the > DHCP services. > > Also on your internal Wireless set up security including WEP or other > encryption. This will keep all your free-riders from accessing any > resources on the LAN while still getting access via a different > interface to the WAN. > > My 2 cents. > Vinay. > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Xavier Alvarez > Sent: Tuesday, February 22, 2005 11:54 AM > To: [email protected] > Subject: [Security Firewall] Re: MNF and DHCP customization > > No takers on this? Not even a "please explain further" comment? Am I > missing something too obvious? > > A bit lost, > Xavier > > On Wed, 9 Feb 2005 12:26:24 +0100, Xavier Alvarez > <[EMAIL PROTECTED]> wrote: > > Hi people! > > > > I have a (newbie) question regarding DHCP in MNF. > > > > My network configuration is rather default, without DMZ: > > > > Firewall - eth0 => WAN | ADSL modem > > Firewall - eth1 => (none yet) > > Firewall - eth2 => LAN | switch > > > > The ADSL modem has a built-in firewall in default configuration and > > runs a DHCP server for the 10.0.0.0/8 network, where there are only > > two IPs used statically (the ADSL and the Firewall) allowing the > > patching of a machine outside the MNF. > > > > The problem is that on the LAN I have wireless APs and some free > > riders... I don't care too much about them using the WAN, but I do > > care about them snooping my LAN. Also, I don't want to completely > > lock the WiFi, since I have incomming roaming laptops that would > > need to access the WAN with the least configuration possible. > > > > What I was thinking (have no clue about its feasibility though) was > > to > > > put the wireless APs on eth1. And activate the DHCP on that > > interface. First problem, MNFs DHCP can only be set on only one > > interface... and want to keep it on eht2. > > > > The second step in this grand plan-scheme, and if I read the DHCP > > stuff correctly is to configure two distinct networks on that > > interface. One, say 192.168.0.0/24, with my trusted wireless > > machines > > > (based on their MACs) and another (172.16.0.0/12) for the unknowns. > > > > This splitting would allow me to create specific rules allowing > > traffic to my wired network only from trusted wireless, while > > allowing > > > untrusted wireless to surf the web without access to my wired > > network. > > > > The rationale (security-wise) is that if a free-rider bumps onto my > > wireless network, the DHCP will give a non-trusted IP to it and the > > firewall will block out my LAN to it. A would-be hacker-snooper, > > would probably think that the AP was left on by mistake and since he > > has access to the web, will not spend too much time trying to find > > my wired network. But if a trusted MAC does bump in, it'll be able > > to communicate with the wired network. > > > > So my question is: can this be done? within MNF or it'll break it? > > Hints or ideas on how? > > > > Cheers, > > Xavier > > > > > ____________________________________________________ > Want to buy your Pack or Services from MandrakeSoft? > Go to http://www.mandrakestore.com > Join the Club : http://www.mandrakeclub.com > ____________________________________________________ > > >
____________________________________________________ Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com ____________________________________________________
