Well,
I agree to a point with both of you (Nunweiler & Marlon)- - you know
I am different - - kinda like rocky roads ice cream, just sweeter :-)
I don't like DHCP for the client as its just too easy and requires no
interaction with the client - EVER! I also dont like the fact that you
get all the info you need to successfully connect to the internet
"automatically" when you point "any" WiFi compatible device at one of my
towers. I might as well give you the keys to my lock box in the bank
:-) I think I will leave the DHCP off, make a trip to your house and
assign your IP statically as well as your DNS. I dont ever foresee
changing my DNS servers addys, but if I do then its just a matter of
making DNS resolve to whatever I want it to. Its all in DNS baby :-)
On the other hand - - If you do DHCP and someone plugs their router in
backwards you are screwed! There are no "ifs" "ands" or "buts" - - all
you are lacking is the tattoo! If any portion of your network is set to
receive a DHCP number - - it will do just that - - it dont care where it
comes from - - it just wants a number and whoever/whatever answers the
DHCP request - - its got a number that fits the niche even though it
will totally disable the persons internet connection.
I aint for sure if I made it to the other hand yet or not so I shall
continue till I run out of Margaritas (new recipe) or chicken.(ancient
Chinese secret) Doing a static routed network is for the birds!! I am
not calling any names, but I have personally witnessed several "mighty
fine" wireless Gurus sit at the base of a tower and hack away 5 pages
(front and back) (hours!) of legal paper with static routes on them to
add a new Access point!! If you get 1 static route upstream wrong (read
- - one number) then you aint done JACK! Static routes is not the answer
either. Static routing is just like bridging - - it will get you by a
while, but you will surely move on to the real answer - -OSPF
I have tried doing the static routing and I will tell you its like
pulling my own teeth with out any anesthetics. It is not an answer, but
a short term thing that could definitely last longer than bridging - -
its a fact. If a man wants to do something that will put him a long time
in the future before having to do anything different - - I mean in
excess of several thousand clients I suggest this:
1. Do not do DHCP - -assign static IPs
2. implement OSPF and route your backbone
3. Bridge from the AP to the client - (get real, why would you need to
route to the client? where else can the traffic go if the backbone is
routed and its a one way street?)
4. Do MAC with IP authentication via radius - or - PPPoE (either one is
a real solution) each have their strengths and weaknesses
5. OSPF!!!!! (redundancy - YES!)
6. A really good "MikroTik Man" on the payroll and RB532's!!!! I do have
suggestions and a name for this man!! call me!
7. DO NOT BUILD A TOTALLY BRIDGED NETWORK - - unless you plan to stay a
really small fish (minnow) in a really big Ocean! I can attest what a
mistake a bridged network can/will be! I can also attest to how easy it
is to build, how FINE it runs and how fast that sucker will crumble down
to the ground as you are standing at a keyboard trying all you know how
to - - to no avail!! I can attest that you will learn a lot of stuff the
hard way, how close you will learn such tools as Ethereal and angry ip,
how much time you (& in my case - my wife) will spend hunting a single
vicious virus on a tremendous network because it affects a bridged
network like the "walking" Pneumonia affects you and I - - its effects
move around on the network!! Ohhhh - - I can tell you some horror
stories alright, but better than calling me - - call my wife!
Alright - - I now am stepping off my soap box and the floor is open!
hehehehehe ( I am not opinionated)
Margaritas anyone?
Mac Dearman
Maximum Access, LLC.
www.inetsouth.com
www.radioresponse.org (Katrina relief efforts)
318-728-8600 - Rayville
318-728-9600
318-376-2562 - cell
Lonnie Nunweiler wrote:
And that is the second thing that guys do wrong. They use simple
bridged clients which are vulnerable to the issue of the backwards
router and they create a host of other issues.
You are building a network that connects to the Internet so why not
use the same network design that the Internet uses? Routed. Sure you
will find sections that are bridged but anything that leaves the
backbone is routed to the customer.
Bridged or rather no design is fine for small simple networks. Just
plug things in and get on to the next job. As you grow the troubles
will begin and then, eventually, you will have to reorganize your
entire network and move to a routed design. Why wait for all that
pain? Do it right, from the start. Allow yourself to grow and not
have to go through that second painful redesign.
I am usually silent and just watch the lists, but when I see wrong
advice given I cannot watch in silence. It is wrong to not use DHCP
and it is wrong to use a bridged design. If you have intentions of
doing any sort of large customer base, please plan it correctly from
the start. Do not listen to the guys who tell you to do it quick and
dirty. I know this sounds preachy, but man, I get 10 calls a day from
people who have stated out quick and dirty and they reach a certain
size or get certain types of traffic, and their network just
collapses. The fix is to go to routed and when they realize how much
work it is to convert it, they all wish they had followed my
consistent advice. For more than 5 years I have said the same thing
on the various lists. I even got kicked off the Judd list for not
backing down and agreeing that hacked together bridges were the way to
go.
Regards,
Lonnie
On 12/6/05, Marlon K. Schafer (509) 982-2181 <[EMAIL PROTECTED]> wrote:
Yeah, until some lunkhead plugs his dsl router in backward. As they do all
the time around here....
No thanks, no more DHCP troubles for me. Been there done that. Twice.
Never again.
Marlon
(509) 982-2181 Equipment sales
(408) 907-6910 (Vonage) Consulting services
42846865 (icq) And I run my own wisp!
64.146.146.12 (net meeting)
www.odessaoffice.com/wireless
www.odessaoffice.com/marlon/cam
----- Original Message -----
From: "Lonnie Nunweiler" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>; "WISPA General List" <wireless@wispa.org>
Sent: Tuesday, December 06, 2005 2:27 PM
Subject: Re: [WISPA] How to Authenticate/Protect
(WasEthernetbasedauthentication)
The same way you do it if you didn't run DHCP. Use PPPoE, HotSpot,
static DHCP based on MAC, ACL for association at the AP, any number of
ways.
DHCP has little to do with authentication, although it can be a part
of the process. What DHCP does is automate the user TCP settings so
that if you renumber your system in order to move to routing it is
painless to assign new numbers. If you have to change DNS servers
then that is also easy. Just change the DHCP config and within an
hour everybody is using the new DNS.
Don't run a network without it. It is priceless.
Lonnie
On 12/6/05, Ron Wallace <[EMAIL PROTECTED]> wrote:
Lonnie,
So Lonnie, if I run DHCP, on my customers IP's, how do I authenticate
the users. I'm a real rookie at this.
Ron Wallace
---- Original message ----
Date: Tue, 6 Dec 2005 11:52:08 -0800
From: Lonnie Nunweiler <[EMAIL PROTECTED]>
Subject: Re: [WISPA] How to Authenticate/Protect (WasEthernet
basedauthentication)
To: WISPA General List <wireless@wispa.org>
If you take Marlon's advice and do not run DHCP then you get to have
that personal contact with each and every subscriber if you ever have
to change network settings. With DHCP running it is real simple and
quick to edit the DHCP config and wait for the DHCP client renewal .
My advice is completely the opposite. Use DHCP for all of your
customers. You will be happy you did and will mutter things when you
encounter someone who is not on DHCP.
The personal contact is nice but what if you have several hundred
customers? That is just a little too nice for my tastes.
Lonnie
On 12/6/05, Marlon K. Schafer (509) 982-2181 <[EMAIL PROTECTED]>
wrote:
Don't run DHCP! And use mac filtering at the ap's. (I use the
smartbridges
ap's. they'll do radius and authenticate wireless subs just like my
dialup
ones.)
Marlon
(509) 982-2181 Equipment sales
(408) 907-6910 (Vonage) Consulting services
42846865 (icq) And I run my own
wisp!
64.146.146.12 (net meeting)
www.odessaoffice.com/wireless
www.odessaoffice.com/marlon/cam
----- Original Message -----
From: "Jason" <[EMAIL PROTECTED]>
To: "WISPA General List" <wireless@wispa.org>
Sent: Monday, December 05, 2005 9:39 PM
Subject: Re: [WISPA] How to Authenticate/Protect (WasEthernet
basedauthentication)
Marlon,
I appreciate the advice. Mostly I am interested in bullet proof
authentication of my clients. Any suggestions?
Jason
Marlon K. Schafer (509) 982-2181 wrote:
Hiya Jason,
You are mixing your networks.... You won't normally run a
homebrew
product to provide a top notch service.
If security is of THAT great an importance to you, you should NOT
run
wifi anything. Put in something much more off the wall. It's a
lot
harder to snoop if you don't use one of the world's most common
protocols.
For these business guys I'd run Trango or something like that.
Good
stuff but not nearly as much of it in use and no free tools on the
internet for intercepting and cracking the data stream.
What we do is remind our customers that this is the internet.
They are
hanging out there for thousands upon thousands of people who's
only
purpose in life is breaking into their machines and seeing what
they can
learn. If they have data that's that sensitive then they need a
high end
internal firewall and they need to VPN all internet traffic.
That help?
Marlon
(509) 982-2181 Equipment sales
(408) 907-6910 (Vonage) Consulting services
42846865 (icq) And I run my
own wisp!
64.146.146.12 (net meeting)
www.odessaoffice.com/wireless
www.odessaoffice.com/marlon/cam
----- Original Message ----- From: "Jason"
<[EMAIL PROTECTED]>
To: "WISPA General List" <wireless@wispa.org>
Sent: Friday, December 02, 2005 3:20 PM
Subject: [WISPA] How to Authenticate/Protect (Was Ethernet
basedauthentication)
List,
I am on the precipice, ready to take the plunge and become a
WISP
(After 1 year of zoning, permits, 16 hr days, etc), but one
thing still
bothers me. I haven't decided how to authenticate clients to my
network
and REALLY protect their data. The CPE's I will use,
rootenna/Senao2611
combos, do only WEP, which only obfuscates data nowadays. MAC
addresses
can be cloned. Proxy login via a browser is obnoxious for the
end user.
Ditto PPPoE & VPN logins. There is just no elegant, KISS
solution. I
was looking at PPPoE or PPTP (poptop/linux) with Radius as my
system,
since this would accomplish it, but seems like so much trouble
and
overhead. PPTP is not Mac friendly, PPPoE requires clients
(gasp) or a
router (gack!) and the PPPoE server shipping with Linux is
meant "for
testing purposes only - man". I want an Always On (apparently)
system
for my clients that just works.
How do you other (small) WISPs do this?
Tangent: How do you Senao 2611 users keep Netbios & windows
network
neighborhood data off the wireless network. I was told to add a
SOHO
router to the mix, but don't want to invest in more equipment to
maintain.
Jason Wallace
--
WISPA Wireless List: wireless@wispa.org
Subscribe/Unsubscribe:
http://lists.wispa.org/mailman/listinfo/wireless
Archives: http://lists.wispa.org/pipermail/wireless/
--
WISPA Wireless List: wireless@wispa.org
Subscribe/Unsubscribe:
http://lists.wispa.org/mailman/listinfo/wireless
Archives: http://lists.wispa.org/pipermail/wireless/
--
WISPA Wireless List: wireless@wispa.org
Subscribe/Unsubscribe:
http://lists.wispa.org/mailman/listinfo/wireless
Archives: http://lists.wispa.org/pipermail/wireless/
--
Lonnie Nunweiler
Valemount Networks Corporation
http://www.star-os.com/
--
WISPA Wireless List: wireless@wispa.org
Subscribe/Unsubscribe:
http://lists.wispa.org/mailman/listinfo/wireless
Archives: http://lists.wispa.org/pipermail/wireless/
Ron Wallace
Hahnron, Inc.
220 S. Jackson St.
Addison, MI 49220
Phone: (517) 547-8410
Mobile: (517) 605-4542
e-mail: [EMAIL PROTECTED]
--
WISPA Wireless List: wireless@wispa.org
Subscribe/Unsubscribe:
http://lists.wispa.org/mailman/listinfo/wireless
Archives: http://lists.wispa.org/pipermail/wireless/
--
Lonnie Nunweiler
Valemount Networks Corporation
http://www.star-os.com/
--
WISPA Wireless List: wireless@wispa.org
Subscribe/Unsubscribe:
http://lists.wispa.org/mailman/listinfo/wireless
Archives: http://lists.wispa.org/pipermail/wireless/
--
WISPA Wireless List: wireless@wispa.org
Subscribe/Unsubscribe:
http://lists.wispa.org/mailman/listinfo/wireless
Archives: http://lists.wispa.org/pipermail/wireless/
--
Lonnie Nunweiler
Valemount Networks Corporation
http://www.star-os.com/
--
WISPA Wireless List: wireless@wispa.org
Subscribe/Unsubscribe:
http://lists.wispa.org/mailman/listinfo/wireless
Archives: http://lists.wispa.org/pipermail/wireless/
