Re: WAP setup problems
Hello, On Wed, 6 Feb 2008, Brian Richardson wrote: Stefan Kell wrote: some other questions: why a bridge and why not simple router with pf? What is your bridge configuration? vr0 is internal interface. ral0 is wireless interface. brconfig bridge0 add ral0 brconfig bridge0 add vr0 brconfig bridge0 rulefile /etc/bridge0.rules /etc/bridge0.rules: pass in on ral0 src 11:de:ad:be:ef:11 pass out on vr0 dst 11:de:ad:be:ef:11 block in/out on ral0 As to why the bridge? I'm not aware of any other way to use MAC filtering to limit access to the external interface. Regards, Brian I am not sure if I understand all of your intentions but I think you should use only one subnet for your whole network. Then dhcpd can assign addresses without problems amd the bridge will separate the wireless lan from the rest. I don't think this is a very secure solution and I would prefer to use authpf and no bridge. Regards Stefan Kell
Re: WAP setup problems
James Hartley wrote: PF can be used to filter on a bridge. See Section 6.9 of the FAQ for an example. I saw the tagging example. But I'm having trouble seeing how it can be applied simply to DHCP traffic. I want to limit the number of rules I use, so I use simple pass in/out with explicit block rules. Regards, Brian
Re: WAP setup problems
Stefan Kell wrote: some other questions: why a bridge and why not simple router with pf? What is your bridge configuration? vr0 is internal interface. ral0 is wireless interface. brconfig bridge0 add ral0 brconfig bridge0 add vr0 brconfig bridge0 rulefile /etc/bridge0.rules /etc/bridge0.rules: pass in on ral0 src 11:de:ad:be:ef:11 pass out on vr0 dst 11:de:ad:be:ef:11 block in/out on ral0 As to why the bridge? I'm not aware of any other way to use MAC filtering to limit access to the external interface. Regards, Brian
Re: WAP setup problems
On Feb 6, 2008 1:10 PM, Stefan Kell <[EMAIL PROTECTED]> wrote: > some other questions: why a bridge and why not simple router with pf? PF can be used to filter on a bridge. See Section 6.9 of the FAQ for an example.
Re: WAP setup problems
Hello, Original-Nachricht > Datum: Tue, 05 Feb 2008 18:55:43 -0700 > Von: Brian Richardson <[EMAIL PROTECTED]> > An: Stefan Kell <[EMAIL PROTECTED]> > CC: misc@openbsd.org > Betreff: Re: WAP setup problems > Stefan Kell wrote: > > Did you try using one shared-network with two different subnets? You can > > find an example within man dhcpd.conf. > Yes, I did, with the same effect. > > Brian some other questions: why a bridge and why not simple router with pf? What is your bridge configuration? Regards Stefan Kell
Re: WAP setup problems
Stefan Kell wrote: Did you try using one shared-network with two different subnets? You can find an example within man dhcpd.conf. Yes, I did, with the same effect. Brian
Re: WAP setup problems
Hi, On Mon, 4 Feb 2008, Brian Richardson wrote: ...snip... My dhcpd.conf is as follows: -- shared-network LOCAL-NET { option domain-name "example.org"; option domain-name-servers 192.168.1.1; subnet 192.168.1.0 netmask 255.255.255.0 { option routers 192.168.1.1; range 192.168.1.32 192.168.1.127; } host laptop { hardware ethernet 00:de:ad:be:ef:00; fixed-address 192.168.1.10; } } shared-network WIRELESS-NET { option domain-name "example.org"; option domain-name-servers 192.168.1.1; subnet 192.168.2.0 netmask 255.255.255.0 { option routers 192.168.2.1; range 192.168.2.32 192.168.2.127; } host laptop-wireless { hardware ethernet 11:de:ad:be:ef:11; fixed-address 192.168.2.10; } } -- snup Did you try using one shared-network with two different subnets? You can find an example within man dhcpd.conf. Regards Stefan Kell
Re: WAP setup problems
On Feb 4, 2008 10:12 PM, Brian Richardson <[EMAIL PROTECTED]> wrote: > Hi, > > Here's my problem and my current understanding: > > I have 3 interfaces in my WAP box, external, internal and wireless. > > I'd like to have MAC filtering for addresses with access to the external > network, but allow guests to connect to the wireless network to help > with copying files around in the same room. > > I need to run dhcpd on both the internal interface and the wireless > interface as guests might not have wireless. ALL clients on the wireless > network MUST use DHCP to obtain their address. > > My dhcpd.conf is as follows: > > -- > shared-network LOCAL-NET { > option domain-name "example.org"; > option domain-name-servers 192.168.1.1; > > subnet 192.168.1.0 netmask 255.255.255.0 { > option routers 192.168.1.1; > range 192.168.1.32 192.168.1.127; > } > > host laptop { > hardware ethernet 00:de:ad:be:ef:00; > fixed-address 192.168.1.10; > } > } > > shared-network WIRELESS-NET { > option domain-name "example.org"; > option domain-name-servers 192.168.1.1; > > subnet 192.168.2.0 netmask 255.255.255.0 { > option routers 192.168.2.1; > range 192.168.2.32 192.168.2.127; > } > > host laptop-wireless { > hardware ethernet 11:de:ad:be:ef:11; > fixed-address 192.168.2.10; > } > } > -- > > So, the problem is that dhcpd listens on both ends of the bridge that > would be used for MAC filtering. DHCPDISCOVER requests are acknowledged > on both interfaces, and the wireless client will receive a random > address from either the internal or wireless network. laptop does not > consistently receive its fixed address. I understand why this is so, as > the DHCPDISCOVER/DHCPOFFER packets cannot be filtered in BPF. HOWEVER, I > have been unable to find dhcpd configuration which will prevent the > request from being processed on both interfaces. If I turn off the > bridge, I lose the MAC filtering. Is there any way I can have the setup > I desire? Not all registered MAC addresses will have a fixed-address, so > I can allow a guest access to the external network by simply adding > their MAC address to the bridge. > > Thanks, > Brian First, I don't see your fixed-address hosts getting a router option. Also, my fixed-address hosts are part of the subnet, not outside it. Lastly, I don't have the shared-network "wrappers" around my subnet definitions, but that seems like an ommission on my part. Anyways, I've effectively got this same physical setup and it works perfectly in 4.1. Your laptop has two interfaces and a different MAC for each; assuming everything is configured right, dhcpd will give out the fixed IP mapped to the requesting MAC address. If you don't want both LAN and WLAN addresses, shut down the interface you don't care about. Good luck. --david