[plug] Wireless newbie questions

Craig Ringer craig at postnewspapers.com.au
Fri Jan 23 19:05:30 WST 2004


Derek Fountain wrote:
> I haven't a clue about wireless. Can anyone suggest the hardware I would need 
> to make this setup - preferably stuff I can wander out and buy in Perth 
> tomorrow? :o)

I have had excellent results with my setup. I got a Pentium Pro 200 with 
4 PCI slots and dropped 4 Intel EtherExpress Pro NICs into it. Any 
machine with 3 NICs would do fine, though.

I chose to get a separate WiFi AP and haven't regretted it - it's no 
fuss to set up, has no driver hassles, and handles the AP job perfectly. 
That way the firewall can get on with it's job - traffic control. I seem 
to remember I got a D-Link 1000AP+ but can't remember for sure - I'm 
@work so I can't check.

Firewall machine config:

eth0 renamed "lan"  => 10/100 LAN
eth1 renamed "inet" => ADSL/PPPoE
eth2 renamed "wifi" => direct to 802.11b AP configured in bridged mode
eth3 renamed "dmz"  => DMZ for cleaning virus-ridden windows boxes, etc.

This works a treat, and the wifi subnet is nicely isolated. DHCPd hands 
out 192.168.0.x leases on eth0, 192.168.3.x on eth2 (any non 0.x subnet 
would be OK), and doesn't listen on eth1. Sensible spoof protection is 
in place - unless your traffic goes via eth0, packets with 192.168.0.x 
src/dst get dropped - ditto for eth2 with 192.168.3.x .

Iptables is configued to allow new connections from 192.168.0.x to 
192.168.3.x and from 192.168.3.x to 192.168.0.x. Less than ideal, but as 
the WiFi is MAC-locked to my laptop and requires WAP it's not 
super-trivial to attack. I expect to have IPSec going soon, so IPSec 
will be required to talk to the wired LAN or the internet.

191.168.0.x can talk freely with the internet (via sensible firewall 
config). 192.168.3.x may too, but this will be turned off once I have 
IPSec going. 2.6.x's IPSec looks _so_ much nicer than FreeS/WAN.

Tip: if you're working with multiple ethernet interfaces, it's really 
nice to lock each card (by MAC address) to a specific interface name (eg 
eth0). If you need to replace the card, you simply update the MAC 
address in your network config - there's no need to play with driver 
load order, fiddle with interface numbering, etc. I like to rename the 
interfaces  to more sensible things, too - "lan" is nicer than "eth0", 
especially when the admin after you takes over. [lan, inet, dmz, wifi] 
is so much nicer than [eth0, eth1, eth2, eth3] yes?

Craig Ringer




More information about the plug mailing list