On Tue, Feb 13, 2007 at 04:40:06PM -0800, ECEG / Daniel Duerr wrote: > My neighbor isn't as lucky as me but has a line-of- > sight to my house so I've extended my wireless network to their house > with a simple repeater setup. Because they are on my LAN, however, > they also have access to everything else in my local network (samba, > SSH, http) which is not so good. We use the wireless network in the > house, so we need wireless access as well.
Well, strictly speaking, using a wireless network as your LAN is inherently risky; your neighbor is not the only person who can get on it. What you need in that case is to either treat the LAN as untrusted (run a packet filter on every system), or require some kind of authentication (e.g. IPSec) before allowing two hosts to talk to each other. > I'd like to come up with a relatively secure way of designating my > LAN as one zone and my neighbor(s) as a separate zone. Basically you can carry two distinct networks of traffic on the same hardware, but it requires that the hardware support VLANs, and anything which wants to be on two VLANs either requires two network adapters on seperate VLANs or requires a special link with "trunking". However, typically VLANs would be physically seperate, and you'd just multiplex their traffic on some physical devices for economic reasons or convenience. What you have is one wireless network with two distinct classes of nodes; you, and your neighbor. For very primitive security, you could simply assign seperate networks to them; 192.168.1/24 and 192.168.2/24; the systems will not be able to communicate with each other without a router that has IPs on both networks. Of course, your neighbor could change his IP address to match yours. For real security you'd need to protect the services that need protecting via IPSec or SSH (see the port, SOCKS, and layer 2/3 forwarding) or some other kind of secure network connection. > Does anyone have any thoughts on a more streamlined approach where I > could negate having multiple wireless networks? I'd love to hear > everyone's thoughts... That's actually the problem; you've got one wireless network, and nothing between the hosts on that network. Firewalls are deployed between networks with different trust levels. You can either break it up into different networks with a firewall between them, or place some kind of boundary between the hosts (e.g. a packet filter on every system). One solution is to consider an ad-hoc network that connects you and your neighbor, which wouldn't require a access point, and use the firewall in between. I think that might work, and would only seem to require a wifi NIC. -- Good code works. Great code can't fail. -><- <URL:http://www.subspacefield.org/~travis/> For a good time on my UBE blacklist, email [EMAIL PROTECTED]
pgpOI7ArFJn1L.pgp
Description: PGP signature
