> >Instead, (for the truly paranoid, I guess) here's another network. > >This one uses another router to NAT and isolate the entire WiFi > >network behind a single IP from the outer network. (SOHO Router/NAT > >boxes are cheap.) > > > > > > New Old > > Router Router > >{internet}--[W L]-(10.10.10/24)-+-[W L]-(192.168.1/24)---->Internal LAN > > | > > | > > +-[W L]-(10.1.1/24)-+---[WiFi AP#1] > > New | > > Router +---[WiFi AP#2] > > #2 | > > etc. > > > Okay, SOHO routers are cheap. I need to make sure that New Router #2 is > resistant to ARP floods. Have you seen SOHO class routers that are so > resistant? I can't justify buying big iron for this project.
Sorry, don't know that one. > >Regardless of the network configuration, if the machines in your > >Internal LAN are going to connect to the WiFi via their wireless > >network interfaces while being on the wired LAN via the ethernet > >interfaces ... why bother with all of this? > > Are you saying that using WiFi would compromise this one computer or that > doing so would allow the dual-connected computer to bridge the two > networks in an unprotected manner? The default-route in the machine should take care of not sending traffic to the WiFi network unnecessarily, methinks. _If_ a bad guy were to get on the WiFi subnet then he doesn't have to do an ARP flood. He already has a direct route to one of your internal machines via the 10.1.1/24 subnet. _If_ he is able to compromise that machine (ie: own it, root it, whatever) then he has direct access to your Internal LAN via the default-route path of that box (192.168.1/24 subnet). All that isolation you tried hard to obtain by adding two NATs in the front side is moot because you've given a back-door path. But note the two _If_s in that paragraph. (If this WiFi network isn't open/public,) you do have WPA2 for it, right? And, you do keep your internal machines patched, right? Sometimes you do have to trust something, so I'd put my trust in those two; forget about the two new NATs and plug the WiFi APs into the 192.168.1/24 subnet and call it a day. And, maybe once a year change the very long WPA2 pw strings. ************************************************************************* ** List info, subscription management, list rules, archives, privacy ** ** policy, calmness, a member map, and more at http://www.cguys.org/ ** *************************************************************************