Re: WAP setup problems
Hello, On Wed, 6 Feb 2008, Brian Richardson wrote: Stefan Kell wrote: some other questions: why a bridge and why not simple router with pf? What is your bridge configuration? vr0 is internal interface. ral0 is wireless interface. brconfig bridge0 add ral0 brconfig bridge0 add vr0 brconfig bridge0 rulefile /etc/bridge0.rules /etc/bridge0.rules: pass in on ral0 src 11:de:ad:be:ef:11 pass out on vr0 dst 11:de:ad:be:ef:11 block in/out on ral0 As to why the bridge? I'm not aware of any other way to use MAC filtering to limit access to the external interface. Regards, Brian I am not sure if I understand all of your intentions but I think you should use only one subnet for your whole network. Then dhcpd can assign addresses without problems amd the bridge will separate the wireless lan from the rest. I don't think this is a very secure solution and I would prefer to use authpf and no bridge. Regards Stefan Kell
Re: WAP setup problems
Hello, Original-Nachricht Datum: Tue, 05 Feb 2008 18:55:43 -0700 Von: Brian Richardson [EMAIL PROTECTED] An: Stefan Kell [EMAIL PROTECTED] CC: misc@openbsd.org Betreff: Re: WAP setup problems Stefan Kell wrote: Did you try using one shared-network with two different subnets? You can find an example within man dhcpd.conf. Yes, I did, with the same effect. Brian some other questions: why a bridge and why not simple router with pf? What is your bridge configuration? Regards Stefan Kell
Re: WAP setup problems
On Feb 6, 2008 1:10 PM, Stefan Kell [EMAIL PROTECTED] wrote: some other questions: why a bridge and why not simple router with pf? PF can be used to filter on a bridge. See Section 6.9 of the FAQ for an example.
Re: WAP setup problems
Stefan Kell wrote: some other questions: why a bridge and why not simple router with pf? What is your bridge configuration? vr0 is internal interface. ral0 is wireless interface. brconfig bridge0 add ral0 brconfig bridge0 add vr0 brconfig bridge0 rulefile /etc/bridge0.rules /etc/bridge0.rules: pass in on ral0 src 11:de:ad:be:ef:11 pass out on vr0 dst 11:de:ad:be:ef:11 block in/out on ral0 As to why the bridge? I'm not aware of any other way to use MAC filtering to limit access to the external interface. Regards, Brian
Re: WAP setup problems
James Hartley wrote: PF can be used to filter on a bridge. See Section 6.9 of the FAQ for an example. I saw the tagging example. But I'm having trouble seeing how it can be applied simply to DHCP traffic. I want to limit the number of rules I use, so I use simple pass in/out with explicit block rules. Regards, Brian
Re: WAP setup problems
Hi,
On Mon, 4 Feb 2008, Brian Richardson wrote:
...snip...
My dhcpd.conf is as follows:
--
shared-network LOCAL-NET {
option domain-name example.org;
option domain-name-servers 192.168.1.1;
subnet 192.168.1.0 netmask 255.255.255.0 {
option routers 192.168.1.1;
range 192.168.1.32 192.168.1.127;
}
host laptop {
hardware ethernet 00:de:ad:be:ef:00;
fixed-address 192.168.1.10;
}
}
shared-network WIRELESS-NET {
option domain-name example.org;
option domain-name-servers 192.168.1.1;
subnet 192.168.2.0 netmask 255.255.255.0 {
option routers 192.168.2.1;
range 192.168.2.32 192.168.2.127;
}
host laptop-wireless {
hardware ethernet 11:de:ad:be:ef:11;
fixed-address 192.168.2.10;
}
}
--
snup
Did you try using one shared-network with two different subnets? You can
find an example within man dhcpd.conf.
Regards
Stefan Kell
Re: WAP setup problems
Stefan Kell wrote: Did you try using one shared-network with two different subnets? You can find an example within man dhcpd.conf. Yes, I did, with the same effect. Brian
WAP setup problems
Hi,
Here's my problem and my current understanding:
I have 3 interfaces in my WAP box, external, internal and wireless.
I'd like to have MAC filtering for addresses with access to the external
network, but allow guests to connect to the wireless network to help
with copying files around in the same room.
I need to run dhcpd on both the internal interface and the wireless
interface as guests might not have wireless. ALL clients on the wireless
network MUST use DHCP to obtain their address.
My dhcpd.conf is as follows:
--
shared-network LOCAL-NET {
option domain-name example.org;
option domain-name-servers 192.168.1.1;
subnet 192.168.1.0 netmask 255.255.255.0 {
option routers 192.168.1.1;
range 192.168.1.32 192.168.1.127;
}
host laptop {
hardware ethernet 00:de:ad:be:ef:00;
fixed-address 192.168.1.10;
}
}
shared-network WIRELESS-NET {
option domain-name example.org;
option domain-name-servers 192.168.1.1;
subnet 192.168.2.0 netmask 255.255.255.0 {
option routers 192.168.2.1;
range 192.168.2.32 192.168.2.127;
}
host laptop-wireless {
hardware ethernet 11:de:ad:be:ef:11;
fixed-address 192.168.2.10;
}
}
--
So, the problem is that dhcpd listens on both ends of the bridge that
would be used for MAC filtering. DHCPDISCOVER requests are acknowledged
on both interfaces, and the wireless client will receive a random
address from either the internal or wireless network. laptop does not
consistently receive its fixed address. I understand why this is so, as
the DHCPDISCOVER/DHCPOFFER packets cannot be filtered in BPF. HOWEVER, I
have been unable to find dhcpd configuration which will prevent the
request from being processed on both interfaces. If I turn off the
bridge, I lose the MAC filtering. Is there any way I can have the setup
I desire? Not all registered MAC addresses will have a fixed-address, so
I can allow a guest access to the external network by simply adding
their MAC address to the bridge.
Thanks,
Brian
Re: WAP setup problems
On Feb 4, 2008 10:12 PM, Brian Richardson [EMAIL PROTECTED] wrote:
Hi,
Here's my problem and my current understanding:
I have 3 interfaces in my WAP box, external, internal and wireless.
I'd like to have MAC filtering for addresses with access to the external
network, but allow guests to connect to the wireless network to help
with copying files around in the same room.
I need to run dhcpd on both the internal interface and the wireless
interface as guests might not have wireless. ALL clients on the wireless
network MUST use DHCP to obtain their address.
My dhcpd.conf is as follows:
--
shared-network LOCAL-NET {
option domain-name example.org;
option domain-name-servers 192.168.1.1;
subnet 192.168.1.0 netmask 255.255.255.0 {
option routers 192.168.1.1;
range 192.168.1.32 192.168.1.127;
}
host laptop {
hardware ethernet 00:de:ad:be:ef:00;
fixed-address 192.168.1.10;
}
}
shared-network WIRELESS-NET {
option domain-name example.org;
option domain-name-servers 192.168.1.1;
subnet 192.168.2.0 netmask 255.255.255.0 {
option routers 192.168.2.1;
range 192.168.2.32 192.168.2.127;
}
host laptop-wireless {
hardware ethernet 11:de:ad:be:ef:11;
fixed-address 192.168.2.10;
}
}
--
So, the problem is that dhcpd listens on both ends of the bridge that
would be used for MAC filtering. DHCPDISCOVER requests are acknowledged
on both interfaces, and the wireless client will receive a random
address from either the internal or wireless network. laptop does not
consistently receive its fixed address. I understand why this is so, as
the DHCPDISCOVER/DHCPOFFER packets cannot be filtered in BPF. HOWEVER, I
have been unable to find dhcpd configuration which will prevent the
request from being processed on both interfaces. If I turn off the
bridge, I lose the MAC filtering. Is there any way I can have the setup
I desire? Not all registered MAC addresses will have a fixed-address, so
I can allow a guest access to the external network by simply adding
their MAC address to the bridge.
Thanks,
Brian
First, I don't see your fixed-address hosts getting a router option.
Also, my fixed-address hosts are part of the subnet, not outside it.
Lastly, I don't have the shared-network wrappers around my subnet
definitions, but that seems like an ommission on my part.
Anyways, I've effectively got this same physical setup and it works
perfectly in 4.1. Your laptop has two interfaces and a different MAC
for each; assuming everything is configured right, dhcpd will give out
the fixed IP mapped to the requesting MAC address. If you don't want
both LAN and WLAN addresses, shut down the interface you don't care
about.
Good luck.
--david
