On Sun, 2003-09-07 at 09:00, C. Dummy wrote: > So running third nic and dmz with wap on that would be little bit > better solution? But do I really need wap router in this case or just > Bering box and wap would be enough? > Do you run WAP scope 192.168.10.0/24 from uplink on your switch or just > from regular rj45 for network?
That is one school of thought. It is no different, as far as the kernel is concerned. Not better, just different, and easier to understand from the hardware point of view. Modern networking techniques make this approach obsolete, however. If you buy a complete Wireless Access Point, and configure it as a bridge, and attach an IP address that is outside the scope of your internal LAN, then there is no way any communication will take place from the wireless scope to the internal LAN scope. The WAP just does not have the know-how to bridge an IP that is no on its' scope. Then, configure only the services you need to listen on the WAP scope. Example ; Your Internal Wired LAN is - 192.168.0.0 netmask 255.255.255.0 Your WAP (bridging mode) IPaddress = 192.168.10.1 netmask 255.255.255.0 Now configure your squid proxy to listen on 192.168.10.254 Add a dhcpd entry to allocate addresses on the 192.168.10.0/24 subnet >From your wireless LAN, there will ONLY be one working address on the LAN, and that will be the squid proxy, for which you will need a password to use. Carefully enable other secured services as required, viz sshd. Your Internal LAN is now separate from your WAP LAN, yet they use the same cabling, and you haven't needed to write one single iptables entry. The above example should just 'work', but there will likely be issues since it was off the top of my head. This is "iproute2" networking, or otherwise called "policy routing". Later on, if you are so inclined, you can fiddle with this some more, by adding rules and multiple routing tables on the basis of "Routing Policy". Rarely do you need to return to iptables to set Networking Policy. Networking is fun again.. 8-)) HTH, Steve ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
