> >Instead, (for the truly paranoid, I guess) here's another network.
> >This one uses another router to NAT and isolate the entire WiFi
> >network behind a single IP from the outer network. (SOHO Router/NAT
> >boxes are cheap.)
> >
> >
> > New Old
> > Router Router
> >{internet}--[W L]-(10.10.10/24)-+-[W L]-(192.168.1/24)---->Internal LAN
> > |
> > |
> > +-[W L]-(10.1.1/24)-+---[WiFi AP#1]
> > New |
> > Router +---[WiFi AP#2]
> > #2 |
> > etc.
>
>
> Okay, SOHO routers are cheap. I need to make sure that New Router #2 is
> resistant to ARP floods. Have you seen SOHO class routers that are so
> resistant? I can't justify buying big iron for this project.
Sorry, don't know that one.
> >Regardless of the network configuration, if the machines in your
> >Internal LAN are going to connect to the WiFi via their wireless
> >network interfaces while being on the wired LAN via the ethernet
> >interfaces ... why bother with all of this?
>
> Are you saying that using WiFi would compromise this one computer or that
> doing so would allow the dual-connected computer to bridge the two
> networks in an unprotected manner?
The default-route in the machine should take care of not sending
traffic to the WiFi network unnecessarily, methinks.
_If_ a bad guy were to get on the WiFi subnet then he doesn't have
to do an ARP flood. He already has a direct route to one of your
internal machines via the 10.1.1/24 subnet. _If_ he is able to
compromise that machine (ie: own it, root it, whatever) then he has
direct access to your Internal LAN via the default-route path of
that box (192.168.1/24 subnet). All that isolation you tried hard
to obtain by adding two NATs in the front side is moot because
you've given a back-door path.
But note the two _If_s in that paragraph. (If this WiFi network
isn't open/public,) you do have WPA2 for it, right? And, you do
keep your internal machines patched, right? Sometimes you do have
to trust something, so I'd put my trust in those two; forget about
the two new NATs and plug the WiFi APs into the 192.168.1/24 subnet
and call it a day. And, maybe once a year change the very long WPA2
pw strings.
*************************************************************************
** List info, subscription management, list rules, archives, privacy **
** policy, calmness, a member map, and more at http://www.cguys.org/ **
*************************************************************************
