Re: [WISPA] How toAuthenticate/Protect(WasEthernetbasedauthentication)

Wed, 07 Dec 2005 11:19:11 -0800

PPPoE on a SOHO Router, private IPs for the devices.

But I don't think you have to use PPPoE to do the /32 address to force the end-device to route everything.   Need a router guru to answer that.

Scott Reed
Owner
NewWays
Wireless Networking
Network Design, Installation and Administration
www.nwwnet.net

The season is Christmas, not X-mas, not the holiday, but Christmas, because
Christ was born to provide salvation to all who will believe!

---------- Original Message -----------
From: "Mark Koskenmaki" <[EMAIL PROTECTED]>
To: "WISPA General List" <wireless@wispa.org>
Sent: Wed, 7 Dec 2005 11:17:15 -0800
Subject: Re: [WISPA] How toAuthenticate/Protect(WasEthernetbasedauthentication)

> I don't use pppoe.  
>  
> it really isn't workable, since the client end I use does not have a PPPOE client.
>  
> And, I don't need it.   BTW, if you use pppoe, how does someone use thier xbox, packet8 phone, or other generic IP-addressable device?
>  
>  
> North East Oregon Fastnet, LLC 509-593-4061
> personal correspondence to:  mark at neofast dot net
> sales inquiries to:  purchasing at neofast dot net
> Fast Internet, NO WIRES!
> -----------------------------------------------------------------------------

> ----- Original Message -----
> From: Scott Reed
> To: WISPA General List
> Sent: Wednesday, December 07, 2005 11:04 AM
> Subject: Re: [WISPA] How toAuthenticate/Protect(WasEthernetbasedauthentication)
>
> Or, as PPPoE, client gets a /32 and a default gateway that allows everything to route.
>
> Why would the customer with a public need to be on a subnet by themselves, thus needing 4 IPs?
>
> Scott Reed
> Owner
> NewWays
> Wireless Networking
> Network Design, Installation and Administration
> www.nwwnet.net
>
> The season is Christmas, not X-mas, not the holiday, but Christmas, because
> Christ was born to provide salvation to all who will believe!
>
> ---------- Original Message -----------
> From: "Mark Koskenmaki" <[EMAIL PROTECTED]>
> To: "WISPA General List" <wireless@wispa.org>
> Sent: Wed, 7 Dec 2005 10:56:54 -0800
> Subject: Re: [WISPA] How toAuthenticate/Protect(WasEthernetbasedauthentication)
>
> > For a customer to have single computer with a public IP, I do have to use 4 IP addresses.
> >  
> > There's the broadcast, network, and two hosts - one being the gateway and one is the host.
> >  
> > However, I have only something like 5 clients with publid IP's on thier side, every other client has NAT done at thier end, so, thier CPE has a public IP interface, but all of thier machines have private IP's.   They can have multiple computers, and they generally just share one public IP.
> >  
> > So, for the most part, I use one public IP  per client - however... I subnet each access point, which has a 16 or 32 IP subnet attached to it.    And again, this "wastes" 3 IP's per subnet... your broadcast, network, and of course, gateway IP.
> >  
> > However, monitoring traffic on the network shows almost zilch for anything other than actual USE on the network.
> >  
> > So, while I suppose we're technically "wasting" some IP's, we have a return for it, in that actually attacking client's machines is almost impossible, and my network is free of most broadcast and non-ip traffic. 
> >  
> > I hope to implement BGP and OSPF within 6 months network-wide.   We'll have to see how this affects our traffic levels negatively...
> >  
> >  
> >  
> > North East Oregon Fastnet, LLC 509-593-4061
> > personal correspondence to:  mark at neofast dot net
> > sales inquiries to:  purchasing at neofast dot net
> > Fast Internet, NO WIRES!
> > -----------------------------------------------------------------------------

> > ----- Original Message -----
> > From: Marlon K. Schafer (509) 982-2181
> > To: WISPA General List
> > Sent: Wednesday, December 07, 2005 10:15 AM
> > Subject: Re: [WISPA] How toAuthenticate/Protect(WasEthernetbasedauthentication)
> >
> > I'm no expert so you guys feel free to correct me as needed.....
> >  
> > The smallest subnet needs 4 ip addys to work.  Even if it's three you get the idea.  Still a huge waste of a very limited and harder to get all the time resource.
> >  
> > Marlon
> > (509) 982-2181                                      Equipment sales
> > (408) 907-6910 (Vonage)                     Consulting services
> > 42846865 (icq)                                        And I run my own wisp!
> > 64.146.146.12 (net meeting)
> > www.odessaoffice.com/wireless
> > www.odessaoffice.com/marlon/cam
> >  
> >
> >  

> > ----- Original Message -----
> > From: Scott Reed
> > To: WISPA General List
> > Sent: Wednesday, December 07, 2005 10:12 AM
> > Subject: Re: [WISPA] How toAuthenticate/Protect(WasEthernetbasedauthentication)
> >
> > How were you looking at routing to use 3 for 1?  I have never setup routing that way and would like to be sure I don't.  I am running
> > fully routed from the get-go, with 3 internal routers and a 4th going in Friday.  Actually 2 MTs as router only and 2 that are
> > "routing APs".
> >
> > Scott Reed
> > Owner
> > NewWays
> > Wireless Networking
> > Network Design, Installation and Administration
> > www.nwwnet.net
> >
> > The season is Christmas, not X-mas, not the holiday, but Christmas, because
> > Christ was born to provide salvation to all who will believe!
> >
> > ---------- Original Message -----------
> > From: "Marlon K. Schafer (509) 982-2181" <[EMAIL PROTECTED]>
> > To: "WISPA General List" <wireless@wispa.org>
> > Sent: Wed, 7 Dec 2005 10:05:52 -0800
> > Subject: Re: [WISPA] How to Authenticate/Protect(WasEthernetbasedauthentication)
> >
> > > The idea, for me is that by the time a company gets to the point that they
> > > need to route they'll either know what they are doing.  And/or they'll have
> > > someone on staff just to handle that issue.
> > >
> > > The other problem I ran into back when was a shortage of ip addys.  And
> > > routing to every customer wastes three ip addys for every one you get to
> > > actually use.  I don't think that's responsible stewardship.
> >
> > >
> > > My new ap's block client to client communications, and new manages switches
> > > that will vlan and packet filter will be the next upgrades I'll do.
> > >
> > > We just broke the network in two.  So I've got 150ish broadband subs on one
> > > system and 150 on another.  Not exact numbers but close.  One of the systems
> > > went from t-1 to 10 meg so I don't have good numbers as to performance
> > > issues.
> > >
> > > The other one still has 100 megs coming into it.  On that system I see no
> > > difference.
> > >
> > > I'm sure there's room for improvement.   There always will be if a guy wants
> > > to stay anywhere near the head of the pack.
> > >
> > > One other thing that's not been brought up yet is over building.  Today we
> > > can build 3 to 10x more capacity into the network than the average customer
> > > is demanding for the same cost or very nearly so as building to meet
> > > customer demands.   Having more capacity than is needed, so far, is allowing
> > > us to significantly simplify the network.  Anyone can walk in here tomorrow
> > > and take over with a few phone calls to tech support at most.  There's
> > > nothing fancy going on here.  That's part of why I can take care of 250
> > > wireless subs, 50 fiber customers and hundreds of dialup people with me and
> > > two gals that share a part time office job.  Our wireless churn is almost
> > > nil.   I've lost a couple lately due to some trouble at a tower site.   It's
> > > caused by jerk off competitors and their 1 watt amps and 15+ db sector
> > > antennas though.  And I tried to use a $120 sector where I normally use $400
> > > ones.   I'm not sure I'll ever learn that lesson :-).
> > >
> > > Will we have to redo the network at some point in the future?  Sure.   Will
> > > it suck?   Sure.  But that's then and this is now.  We just redid half of it
> > > and it sucked.  Big time.  But only for a few days.  WE have taken the time
> > > to teach our customers how to do their own networking stuff just like we
> > > took the time to teach them how to do their own dialup stuff.  When we need
> > > to make changes (or the customer changes their gear) they can usually take
> > > care of it themselves or with a little help from us via the phone.
> > >
> > > Both models work.  The real trick is making sure that they get deployed in
> > > the right situation.  Too big of a hammer is sometimes just as bad as too
> > > small of a one or vice verse.
> > >
> > > Oh yeah, I'm tired of hearing small networks getting talked down to.  With
> > > 100 subs the average guy should be putting $2,000 to $3,000 per month in the
> > > bank.  That's enough money to keep the average mom home with the kids!   We'd
> > > be there today if we would just stop growing.  Man, a mom at home with the
> > > kids AND good cars to drive and a dad that's not working 80 hours per week.
> > > Small WISPs are right in there with the American dream man!  This is good
> > > stuff!
> > >
> > > Laters,
> > > Marlon
> > > (509) 982-2181                                   Equipment sales
> > > (408) 907-6910 (Vonage)                    Consulting services
> > > 42846865 (icq)                                    And I run my own wisp!
> > > 64.146.146.12 (net meeting)
> > > www.odessaoffice.com/wireless
> > > www.odessaoffice.com/marlon/cam
> > >
> > > ----- Original Message -----
> > > From: "Lonnie Nunweiler" <[EMAIL PROTECTED]>
> > > To: "WISPA General List" <wireless@wispa.org>
> > > Sent: Tuesday, December 06, 2005 5:43 PM
> > > Subject: Re: [WISPA] How to
> > > Authenticate/Protect(WasEthernetbasedauthentication)
> > >
> > > And that is the second thing that guys do wrong.   They use simple
> > > bridged clients which are vulnerable to the issue of the backwards
> > > router and they create a host of other issues.
> > >
> > > You are building a network that connects to the Internet so why not
> > > use the same network design that the Internet uses?  Routed.  Sure you
> > > will find sections that are bridged but anything that leaves the
> > > backbone is routed to the customer.
> > >
> > > Bridged or rather no design is fine for small simple networks.  Just
> > > plug things in and get on to the next job.  As you grow the troubles
> > > will begin and then, eventually, you will have to reorganize your
> > > entire network and move to a routed design.  Why wait for all that
> > > pain?  Do it right, from the start.  Allow yourself to grow and not
> > > have to go through that second painful redesign.
> > >
> > > I am usually silent and just watch the lists, but when I see wrong
> > > advice given I cannot watch in silence.  It is wrong to not use DHCP
> > > and it is wrong to use a bridged design.   If you have intentions of
> > > doing any sort of large customer base, please plan it correctly from
> > > the start.  Do not listen to the guys who tell you to do it quick and
> > > dirty.   I know this sounds preachy, but man, I get 10 calls a day from
> > > people who have stated out quick and dirty and they reach a certain
> > > size or get certain types of traffic, and their network just
> > > collapses.  The fix is to go to routed and when they realize how much
> > > work it is to convert it, they all wish they had followed my
> > > consistent advice.  For more than 5 years I have said the same thing
> > > on the various lists.  I even got kicked off the Judd list for not
> > > backing down and agreeing that hacked together bridges were the way to
> > > go.
> > >
> > > Regards,
> > > Lonnie
> > >
> > > On 12/6/05, Marlon K. Schafer (509) 982-2181 <[EMAIL PROTECTED]> wrote:
> > > > Yeah, until some lunkhead plugs his dsl router in backward.  As they do
> > > > all
> > > > the time around here....
> > > >
> > > > No thanks, no more DHCP troubles for me.   Been there done that.   Twice.
> > > > Never again.
> > > >
> > > > Marlon
> > > > (509) 982-2181                                   Equipment sales
> > > > (408) 907-6910 (Vonage)                    Consulting services
> > > > 42846865 (icq)                                    And I run my own wisp!
> > > > 64.146.146.12 (net meeting)
> > > > www.odessaoffice.com/wireless
> > > > www.odessaoffice.com/marlon/cam
> > > >
> > > >
> > > >
> > > > ----- Original Message -----
> > > > From: "Lonnie Nunweiler" <[EMAIL PROTECTED]>
> > > > To: <[EMAIL PROTECTED]>; "WISPA General List" <wireless@wispa.org>
> > > > Sent: Tuesday, December 06, 2005 2:27 PM
> > > > Subject: Re: [WISPA] How to Authenticate/Protect
> > > > (WasEthernetbasedauthentication)
> > > >
> > > >
> > > > The same way you do it if you didn't run DHCP.  Use PPPoE, HotSpot,
> > > > static DHCP based on MAC, ACL for association at the AP, any number of
> > > > ways.
> > > >
> > > > DHCP has little to do with authentication, although it can be a part
> > > > of the process.  What DHCP does is automate the user TCP settings so
> > > > that if you renumber your system in order to move to routing it is
> > > > painless to assign new numbers.  If you have to change DNS servers
> > > > then that is also easy.   Just change the DHCP config and within an
> > > > hour everybody is using the new DNS.
> > > >
> > > > Don't run a network without it.  It is priceless.
> > > >
> > > > Lonnie
> > > >
> > > >
> > > > On 12/6/05, Ron Wallace <[EMAIL PROTECTED]> wrote:
> > > > > Lonnie,
> > > > > So Lonnie, if I run DHCP, on my customers IP's, how do I authenticate
> > > > > the users.  I'm a real rookie at this.
> > > > > Ron Wallace
> > > > > ---- Original message ----
> > > > > >Date: Tue, 6 Dec 2005 11:52:08 -0800
> > > > > >From: Lonnie Nunweiler <[EMAIL PROTECTED]>
> > > > > >Subject: Re: [WISPA] How to Authenticate/Protect (WasEthernet
> > > > > basedauthentication)
> > > > > >To: WISPA General List <wireless@wispa.org>
> > > > > >
> > > > > >If you take Marlon's advice and do not run DHCP then you get to have
> > > > > >that personal contact with each and every subscriber if you ever have
> > > > > >to change network settings.  With DHCP running it is real simple and
> > > > > >quick to edit the DHCP config and wait for the DHCP client renewal .
> > > > > >
> > > > > >My advice is completely the opposite.  Use DHCP for all of your
> > > > > >customers.  You will be happy you did and will mutter things when you
> > > > > >encounter someone who is not on DHCP.
> > > > > >
> > > > > >The personal contact is nice but what if you have several hundred
> > > > > >customers?  That is just a little too nice for my tastes.
> > > > > >
> > > > > >Lonnie
> > > > > >
> > > > > >On 12/6/05, Marlon K. Schafer (509) 982-2181 <[EMAIL PROTECTED]>
> > > > > wrote:
> > > > > >> Don't run DHCP!  And use mac filtering at the ap's.   (I use the
> > > > > smartbridges
> > > > > >> ap's. they'll do radius and authenticate wireless subs just like my
> > > > > dialup
> > > > > >> ones.)
> > > > > >>
> > > > > >> Marlon
> > > > > >> (509) 982-2181                                   Equipment sales
> > > > > >> (408) 907-6910 (Vonage)                    Consulting services
> > > > > >> 42846865 (icq)                                    And I run my own
> > > > > wisp!
> > > > > >> 64.146.146.12 (net meeting)
> > > > > >> www.odessaoffice.com/wireless
> > > > > >> www.odessaoffice.com/marlon/cam
> > > > > >>
> > > > > >>
> > > > > >>
> > > > > >> ----- Original Message -----
> > > > > >> From: "Jason" <[EMAIL PROTECTED]>
> > > > > >> To: "WISPA General List" <wireless@wispa.org>
> > > > > >> Sent: Monday, December 05, 2005 9:39 PM
> > > > > >> Subject: Re: [WISPA] How to Authenticate/Protect (WasEthernet
> > > > > >> basedauthentication)
> > > > > >>
> > > > > >>
> > > > > >> > Marlon,
> > > > > >> >
> > > > > >> >    I appreciate the advice.  Mostly I am interested in bullet proof
> > > > > >> > authentication of my clients.   Any suggestions?
> > > > > >> >
> > > > > >> > Jason
> > > > > >> >
> > > > > >> > Marlon K. Schafer (509) 982-2181 wrote:
> > > > > >> >
> > > > > >> >> Hiya Jason,
> > > > > >> >>
> > > > > >> >> You are mixing your networks....  You won't normally run a
> > > > > homebrew
> > > > > >> >> product to provide a top notch service.
> > > > > >> >>
> > > > > >> >> If security is of THAT great an importance to you, you should NOT
> > > > > run
> > > > > >> >> wifi anything.  Put in something much more off the wall.  It's a
> > > > > lot
> > > > > >> >> harder to snoop if you don't use one of the world's most common
> > > > > >> >> protocols.
> > > > > >> >>
> > > > > >> >> For these business guys I'd run Trango or something like that.
> > > > > Good
> > > > > >> >> stuff but not nearly as much of it in use and no free tools on the
> > > > > >> >> internet for intercepting and cracking the data stream.
> > > > > >> >>
> > > > > >> >> What we do is remind our customers that this is the internet.
> > > > > They are
> > > > > >> >> hanging out there for thousands upon thousands of people who's
> > > > > only
> > > > > >> >> purpose in life is breaking into their machines and seeing what
> > > > > they can
> > > > > >> >> learn.  If they have data that's that sensitive then they need a
> > > > > high end
> > > > > >> >> internal firewall and they need to VPN all internet traffic.
> > > > > >> >>
> > > > > >> >> That help?
> > > > > >> >> Marlon
> > > > > >> >> (509) 982-2181                                   Equipment sales
> > > > > >> >> (408) 907-6910 (Vonage)                    Consulting services
> > > > > >> >> 42846865 (icq)                                     And I run my
> > > > > own wisp!
> > > > > >> >> 64.146.146.12 (net meeting)
> > > > > >> >> www.odessaoffice.com/wireless
> > > > > >> >> www.odessaoffice.com/marlon/cam
> > > > > >> >>
> > > > > >> >>
> > > > > >> >>
> > > > > >> >> ----- Original Message ----- From: "Jason"
> > > > > <[EMAIL PROTECTED]>
> > > > > >> >> To: "WISPA General List" <wireless@wispa.org>
> > > > > >> >> Sent: Friday, December 02, 2005 3:20 PM
> > > > > >> >> Subject: [WISPA] How to Authenticate/Protect (Was Ethernet
> > > > > >> >> basedauthentication)
> > > > > >> >>
> > > > > >> >>
> > > > > >> >>> List,
> > > > > >> >>>
> > > > > >> >>>    I am on the precipice, ready to take the plunge and become a
> > > > > WISP
> > > > > >> >>> (After 1 year of zoning, permits, 16 hr days, etc), but one
> > > > > thing still
> > > > > >> >>> bothers me.  I haven't decided how to authenticate clients to my
> > > > > network
> > > > > >> >>> and REALLY protect their data.  The CPE's I will use,
> > > > > rootenna/Senao2611
> > > > > >> >>> combos, do only WEP, which only obfuscates data nowadays. MAC
> > > > > addresses
> > > > > >> >>> can be cloned.  Proxy login via a browser is obnoxious for the
> > > > > end user.
> > > > > >> >>> Ditto PPPoE & VPN logins.  There is just no elegant, KISS
> > > > > solution.  I
> > > > > >> >>> was looking at PPPoE or PPTP (poptop/linux) with Radius as my
> > > > > system,
> > > > > >> >>> since this would accomplish it, but seems like so much trouble
> > > > > and
> > > > > >> >>> overhead. PPTP is not Mac friendly, PPPoE requires clients
> > > > > (gasp) or a
> > > > > >> >>> router (gack!) and the PPPoE server shipping with Linux is
> > > > > meant "for
> > > > > >> >>> testing purposes only - man".  I want an Always On (apparently)
> > > > > system
> > > > > >> >>> for my clients that just works.
> > > > > >> >>>
> > > > > >> >>> How do you other (small) WISPs do this?
> > > > > >> >>>
> > > > > >> >>>    Tangent: How do you Senao 2611 users keep Netbios & windows
> > > > > network
> > > > > >> >>> neighborhood data off the wireless network.   I was told to add a
> > > > > SOHO
> > > > > >> >>> router to the mix, but don't want to invest in more equipment to
> > > > > >> >>> maintain.
> > > > > >> >>>
> > > > > >> >>> Jason Wallace
> > > > > >> >>> --
> > > > > >> >>> WISPA Wireless List: wireless@wispa.org
> > > > > >> >>>
> > > > > >> >>> Subscribe/Unsubscribe:
> > > > > >> >>> http://lists.wispa.org/mailman/listinfo/wireless
> > > > > >> >>>
> > > > > >> >>> Archives: http://lists.wispa.org/pipermail/wireless/
> > > > > >> >>>
> > > > > >> >>
> > > > > >> > --
> > > > > >> > WISPA Wireless List: wireless@wispa.org
> > > > > >> >
> > > > > >> > Subscribe/Unsubscribe:
> > > > > >> > http://lists.wispa.org/mailman/listinfo/wireless
> > > > > >> >
> > > > > >> > Archives: http://lists.wispa.org/pipermail/wireless/
> > > > > >> >
> > > > > >>
> > > > > >> --
> > > > > >> WISPA Wireless List: wireless@wispa.org
> > > > > >>
> > > > > >> Subscribe/Unsubscribe:
> > > > > >> http://lists.wispa.org/mailman/listinfo/wireless
> > > > > >>
> > > > > >> Archives: http://lists.wispa.org/pipermail/wireless/
> > > > > >>
> > > > > >
> > > > > >
> > > > > >--
> > > > > >Lonnie Nunweiler
> > > > > >Valemount Networks Corporation
> > > > > >http://www.star-os.com/
> > > > > >--
> > > > > >WISPA Wireless List: wireless@wispa.org
> > > > > >
> > > > > >Subscribe/Unsubscribe:
> > > > > >http://lists.wispa.org/mailman/listinfo/wireless
> > > > > >
> > > > > >Archives: http://lists.wispa.org/pipermail/wireless/
> > > > > Ron Wallace
> > > > > Hahnron, Inc.
> > > > > 220 S. Jackson St.
> > > > > Addison, MI 49220
> > > > >
> > > > > Phone:   (517) 547-8410
> > > > > Mobile:   (517) 605-4542
> > > > > e-mail:   [EMAIL PROTECTED]
> > > > > --
> > > > > WISPA Wireless List: wireless@wispa.org
> > > > >
> > > > > Subscribe/Unsubscribe:
> > > > > http://lists.wispa.org/mailman/listinfo/wireless
> > > > >
> > > > > Archives: http://lists.wispa.org/pipermail/wireless/
> > > > >
> > > >
> > > >
> > > > --
> > > > Lonnie Nunweiler
> > > > Valemount Networks Corporation
> > > > http://www.star-os.com/
> > > > --
> > > > WISPA Wireless List: wireless@wispa.org
> > > >
> > > > Subscribe/Unsubscribe:
> > > > http://lists.wispa.org/mailman/listinfo/wireless
> > > >
> > > > Archives: http://lists.wispa.org/pipermail/wireless/
> > > >
> > > > --
> > > > WISPA Wireless List: wireless@wispa.org
> > > >
> > > > Subscribe/Unsubscribe:
> > > > http://lists.wispa.org/mailman/listinfo/wireless
> > > >
> > > > Archives: http://lists.wispa.org/pipermail/wireless/
> > > >
> > >
> > > --
> > > Lonnie Nunweiler
> > > Valemount Networks Corporation
> > > http://www.star-os.com/
> > > --
> > > WISPA Wireless List: wireless@wispa.org
> > >
> > > Subscribe/Unsubscribe:
> > > http://lists.wispa.org/mailman/listinfo/wireless
> > >
> > > Archives: http://lists.wispa.org/pipermail/wireless/
> > >
> > > --
> > > WISPA Wireless List: wireless@wispa.org
> > >
> > > Subscribe/Unsubscribe:
> > > http://lists.wispa.org/mailman/listinfo/wireless
> > >
> > > Archives: http://lists.wispa.org/pipermail/wireless/
> > ------- End of Original Message -------
> >
> >

> > --
> > WISPA Wireless List: wireless@wispa.org
> >
> > Subscribe/Unsubscribe:
> > http://lists.wispa.org/mailman/listinfo/wireless
> >
> > Archives: http://lists.wispa.org/pipermail/wireless/
> >

> >

> > --
> > WISPA Wireless List: wireless@wispa.org
> >
> > Subscribe/Unsubscribe:
> > http://lists.wispa.org/mailman/listinfo/wireless
> >
> > Archives: http://lists.wispa.org/pipermail/wireless/
> >

> ------- End of Original Message -------
>
>

> --
> WISPA Wireless List: wireless@wispa.org
>
> Subscribe/Unsubscribe:
> http://lists.wispa.org/mailman/listinfo/wireless
>
> Archives: http://lists.wispa.org/pipermail/wireless/
>

------- End of Original Message ------- 
-- 
WISPA Wireless List: wireless@wispa.org

Subscribe/Unsubscribe:
http://lists.wispa.org/mailman/listinfo/wireless

Archives: http://lists.wispa.org/pipermail/wireless/

Reply via email to