Am Samstag, 2. Juni 2007 23:49:41 schrieb Waldemar Brodkorb: > Hi Karsten,
Hi Karsten ( & Waldemar), > On Thu, 31 May 2007 at 17:37 +0200, Karsten Ensinger wrote: > > Is it possible to force Freewrt to tag all packages one receives > > via WLAN with a specific VLAN-ID (say VLAN7) and prohibit any > > possibility to "fake" a different VLAN-ID via WLAN (this means > > to force substitution of any already included VLAN-ID into the > > specific one (VLAN7) or alternatively to drop packages already > > tagged on reception)? > > I have no idea. You have a vconfig utility in the base install on > Linksys/Asus/Netgear routers. Did you try to play with it? I thnik that's not really working and you really should use the multiple ssid feature like waldemar told you before. It's the only way to securly seperate the traffic. VLANs are indeed for separting networks from each others. But this can only be done safely if they never used the same media before. In a switch this is quite simply. If a packet comes from port A then it's part of VLAN 1 (for example) and is allowed to be transmitted to port B and C, because these ports are also in the same VLAN. But it is not allowed to be sent to any other port (or diffrent VLAN IDs) at all. As you can image, this is quite secure ;-) In a normal WLAN Envirorement you have one shared medium and it's too late if you try to seperate the packets on your accesspoint. Even if you can configure multiple vlans on your wlan interface, this will not be safe, because you need something in the traffic to decide which packet is part of which vlan and you cannot use a "port" information like in a real switch, but everything else (ip, mac, and so on) can be spoofed and so it will never be really secure. With diffrent ssids you can be sure that you use complete diffrent wlan networks, because you can use a diffrent encyption key for your personal wlan network and so on. This also protects your from someone sniffing in your traffic. If you only would tag packets on the accesspoint (and this would really work) then it would not protect you from having someone else sniffing in your wlan traffic (again the shared medium thing!). So It's the best to just use diffrent SSIDs (virt. Accesspoints) and then iptables/arptables to protect both wlan networks from each other. If you like then you can also tag your private wlan packets for your switch, but this time it's safe because you don't share the medium with others. [...] > > Who said it would be an easy problem? ;-) [...] > Who said it would be an easy answer ;) Who wants it easy? Nerds need the challenge... ;-) But enough challenge for me for today... good night *yawn*, Ralph _______________________________________________ freewrt-users mailing list freewrt-users@freewrt.org https://www.freewrt.org/lists/listinfo/freewrt-users
