> >If a bad guy were to get on the WiFi network, he can flood the MAC
> >address table for the switch in the "New Router" and make the
> >switch part (LAN side) behave like a dumb hub.
>
> So I see it is possible to break the router and lose the benefits of the
> isolation the router is supposed to provide. But doesn't the ARP flood
> have to originate on the LAN side of my router. If someone produces an
> ARP flood on the WiFi side of the network won't it fail because it is on
> the WAN port side of my inside router?
[This email contains ASCII art. Please view it with a fixed font
and in a window with at least 80 char columns.]
Right. Imagine the WAN port of the Old Router and the whole of the
WiFi network connected to a dumb hub. So, what I'm (somewhat)
paranoid about is that the traffic between the Internet and your
Internal LAN now being available to the WiFi side. Admittedly,
since that traffic is intended for the wider internet, the hope is
that you wouldn't be sending sensitive information in clear text.
Instead, they will(hopefully) be encrypted with SSL or SSH. If you
can live with that, go for the network #1 below. I've removed that
confusing connection between WiFi network and the 192.168.1/24 subnet.
New Old
Router Router
{internet}--[W L]-(10.10.10/24)-+-[W L]-(192.168.1/24)---->Internal LAN
|
|
W=WAN +----------+---[WiFi AP#1]
L=LAN |
+---[WiFi AP#2]
|
etc.
The second network I talked about in the previous reply was this:
Old New
Router Router
{internet}--[W L]-(192.168.1/24)-+-[W L]-(10.10.10/24)-+
| |
| +------------+
Internal LAN --------+ |
+---[WiFi AP#1]
|
+---[WiFi AP#2]
|
etc.
I like this less and less now. If there's a vulnerability in the
New Router that can be exploited via its LAN side, your Internal
LAN is now exposed. Or even a brute-force password attack
against the New Router's management account could leave it owned.
Instead, (for the truly paranoid, I guess) here's another network.
This one uses another router to NAT and isolate the entire WiFi
network behind a single IP from the outer network. (SOHO Router/NAT
boxes are cheap.)
New Old
Router Router
{internet}--[W L]-(10.10.10/24)-+-[W L]-(192.168.1/24)---->Internal LAN
|
|
+-[W L]-(10.1.1/24)-+---[WiFi AP#1]
New |
Router +---[WiFi AP#2]
#2 |
etc.
Regardless of the network configuration, if the machines in your
Internal LAN are going to connect to the WiFi via their wireless
network interfaces while being on the wired LAN via the ethernet
interfaces ... why bother with all of this?
*************************************************************************
** List info, subscription management, list rules, archives, privacy **
** policy, calmness, a member map, and more at http://www.cguys.org/ **
*************************************************************************
