Re: [WISPA] Preventing backwards router problems
I am using a Linux box as the router, I am going to add a couple more interfaces to that box and call the problem solved for now. Going forward I will be looking at a topology change to prevent these issues. PPPoE looks like the ticket. On Thu, Sep 4, 2008 at 11:07 PM, Butch Evans [EMAIL PROTECTED] wrote: On Thu, 4 Sep 2008, Charles Wyble wrote: - Many APs have client isolation, which keeps traffic from one client going to another. Some switches have this as well. Wouldn't all switches have this by design and during normal operation (various exploits to sniff traffic non withstanding of course). Charles, All switches do not, unfortunately, have this capability. The switches (low end) will stop SOME traffic, but broadcast traffic (like DHCP DISCOVER) will NOT be stopped by the switch. In fact, if the switch DID stop this traffic, you'd not be able to do DHCP on a switched network, which is, of course, possible. - PPPoE or similar between the customer premise and your network core Clint, I agree that this is probably a best solution, but given the network he described, I'd approach it in a slightly different way. I can't recall who initially asked the question that started this thread, but my initial reaction, given the information you've provided regarding the network design. First, as Clint suggested, you should consider some design changes that would make the network more reliable AND easier to troubleshoot. With the network gear you've described, there is no easy way to create the separation between the APs. His suggestion to ensure you have client to client comms turned off is the first step. In order to create separation between the APs, you have one of 2 quick/easy choices. First, you can configure your switch to put each of the APs on a unique VLAN, then configure the router on the trunk port and separate/manage the traffic at the router. This is going to be the cheapest option IF your switch already supports VLANs with a trunk port option. The second option would be to physically separate the APs by putting them into different ports on your router (instead of on a switch). This option, of course, assumes you either already have the spare ethernet ports, or could add them easier/cheaper than you could do so with a switch. You never did mention what type of router you have. Please fill in this detail and we can provide a better/more complete answer. -- *Butch Evans*Professional Network Consultation * *Network Engineering*MikroTik RouterOS * *573-276-2879 *ImageStream * *http://www.butchevans.com/ *StarOS and MORE * *http://blog.butchevans.com/*Wired or wireless Networks* *Mikrotik Certified Consultant *Professional Technical Trainer* WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Preventing backwards router problems
Jeff Broadwick wrote: Just a word of caution, native Linux will only work up to a certain point with PPPoE/L2TP. Jeff Can you expand on that a bit? I mean obviously you you need other bits to make a complete solution (RADIUS/DNS/DHCP maybe some LDAP/Cert Authority/VPN). I would recommend Zeroshell or Untangle for a pretty complete solution. You probably also want some routing capabilities and for that I would recommend Vyatta. Is there anything lacking in the PPPoE/L2TP bits themselves on Linux? Do they not implement all the specs? WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Preventing backwards router problems
What they make Mikrotik for! :) -- * Dennis Burgess, CCNA, A+, Mikrotik Certified Trainer Link Technologies, Inc -- Mikrotik WISP Support Services* 314-735-0270 http://www.linktechs.net http://www.linktechs.net/ */ Link Technologies, Inc is offering LIVE Mikrotik On-Line Training http://www.linktechs.net/onlinetraining.asp/* Jeff Broadwick wrote: Just a word of caution, native Linux will only work up to a certain point with PPPoE/L2TP. Jeff -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andrew Niemantsverdriet Sent: Friday, September 05, 2008 10:17 AM To: WISPA General List Subject: Re: [WISPA] Preventing backwards router problems I am using a Linux box as the router, I am going to add a couple more interfaces to that box and call the problem solved for now. Going forward I will be looking at a topology change to prevent these issues. PPPoE looks like the ticket. On Thu, Sep 4, 2008 at 11:07 PM, Butch Evans [EMAIL PROTECTED] wrote: On Thu, 4 Sep 2008, Charles Wyble wrote: - Many APs have client isolation, which keeps traffic from one client going to another. Some switches have this as well. Wouldn't all switches have this by design and during normal operation (various exploits to sniff traffic non withstanding of course). Charles, All switches do not, unfortunately, have this capability. The switches (low end) will stop SOME traffic, but broadcast traffic (like DHCP DISCOVER) will NOT be stopped by the switch. In fact, if the switch DID stop this traffic, you'd not be able to do DHCP on a switched network, which is, of course, possible. - PPPoE or similar between the customer premise and your network core Clint, I agree that this is probably a best solution, but given the network he described, I'd approach it in a slightly different way. I can't recall who initially asked the question that started this thread, but my initial reaction, given the information you've provided regarding the network design. First, as Clint suggested, you should consider some design changes that would make the network more reliable AND easier to troubleshoot. With the network gear you've described, there is no easy way to create the separation between the APs. His suggestion to ensure you have client to client comms turned off is the first step. In order to create separation between the APs, you have one of 2 quick/easy choices. First, you can configure your switch to put each of the APs on a unique VLAN, then configure the router on the trunk port and separate/manage the traffic at the router. This is going to be the cheapest option IF your switch already supports VLANs with a trunk port option. The second option would be to physically separate the APs by putting them into different ports on your router (instead of on a switch). This option, of course, assumes you either already have the spare ethernet ports, or could add them easier/cheaper than you could do so with a switch. You never did mention what type of router you have. Please fill in this detail and we can provide a better/more complete answer. -- *Butch Evans*Professional Network Consultation * *Network Engineering*MikroTik RouterOS * *573-276-2879 *ImageStream * *http://www.butchevans.com/ *StarOS and MORE * *http://blog.butchevans.com/*Wired or wireless Networks* *Mikrotik Certified Consultant *Professional Technical Trainer* -- -- WISPA Wants You! Join today! http://signup.wispa.org/ -- -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http
Re: [WISPA] Preventing backwards router problems
It's a scale issue. I wish I could tell you exactly where it will fail, but there are a lot of variables. We've been able to get 3000 plus users, but that takes a powerful system, lots of RAM, and a LOT of work with Linux itself. Jeff Sent from my Palm PDA. -Original Message- From: Charles Wyble [EMAIL PROTECTED] Subj: Re: [WISPA] Preventing backwards router problems Date: Fri Sep 5, 2008 12:59 pm Size: 973 bytes To: WISPA General List wireless@wispa.org Jeff Broadwick wrote: Just a word of caution, native Linux will only work up to a certain point with PPPoE/L2TP. Jeff Can you expand on that a bit? I mean obviously you you need other bits to make a complete solution (RADIUS/DNS/DHCP maybe some LDAP/Cert Authority/VPN). I would recommend Zeroshell or Untangle for a pretty complete solution. You probably also want some routing capabilities and for that I would recommend Vyatta. Is there anything lacking in the PPPoE/L2TP bits themselves on Linux? Do they not implement all the specs? WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ --- message truncated --- WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Preventing backwards router problems
Hi Charles, It's a scale issue. I wish I could tell you exactly where it will fail, but there are a lot of variables. We've been able to get 3000 plus users, but that takes a powerful system, lots of RAM, and a LOT of work with Linux itself. Regards, Jeff ImageStream -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charles Wyble Sent: Friday, September 05, 2008 12:52 PM To: WISPA General List Subject: Re: [WISPA] Preventing backwards router problems Jeff Broadwick wrote: Just a word of caution, native Linux will only work up to a certain point with PPPoE/L2TP. Jeff Can you expand on that a bit? I mean obviously you you need other bits to make a complete solution (RADIUS/DNS/DHCP maybe some LDAP/Cert Authority/VPN). I would recommend Zeroshell or Untangle for a pretty complete solution. You probably also want some routing capabilities and for that I would recommend Vyatta. Is there anything lacking in the PPPoE/L2TP bits themselves on Linux? Do they not implement all the specs? WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Preventing backwards router problems
Jeff Broadwick wrote: Hi Charles, It's a scale issue. I wish I could tell you exactly where it will fail, but there are a lot of variables. Oh certainly. The Linux kernel and user space could use a whole lot of tuning in many many many many places. :) We've been able to get 3000 plus users, but that takes a powerful system, lots of RAM, and a LOT of work with Linux itself. Oh yeah I can imagine. Lots of tuning required certainly. WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Preventing backwards router problems
On Fri, 5 Sep 2008, Dennis Burgess wrote: What they make Mikrotik for! :) And ImageStream, too. The point Jeff was making is that there are some optimizations that should be handled that are not in the default configuration of most Linux distros. -- *Butch Evans*Professional Network Consultation * *Network Engineering*MikroTik RouterOS * *573-276-2879 *ImageStream * *http://www.butchevans.com/ *StarOS and MORE * *http://blog.butchevans.com/*Wired or wireless Networks* *Mikrotik Certified Consultant *Professional Technical Trainer* WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Preventing backwards router problems
On Wed, Sep 3, 2008 at 4:42 PM, Charles Wyble [EMAIL PROTECTED] wrote: Andrew Niemantsverdriet wrote: How to I prevent SOHO routers from handing out bogus DHCP information when they are plugged in backwards? Filter them upstream? How would I filter upstream? All clients go into a switch so I would have to filter at the switch level, what switches provide this? Also on a seperate note; long ago on this list there was a Linux distro that was basically a WISP management you put it on the gateway router and it only allowed MAC authorized clients to the internet everybody else was pointed to a captive portal. Does anybody remember this or could give me a link to it again? Chillispot? Wifi-DOG? There are a few of them. This was more of a WISP dashboard program. The captive portal stuff was secondary the main part of the program was more of an access controller. It allowed the admin to control IP's maintain MAC ACL's Thanks, _ /-\ ndrew -- Charles Wyble (818) 280 - 7059 http://charlesnw.blogspot.com CTO Known Element Enterprises / SoCal WiFI project WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Preventing backwards router problems
Andrew Niemantsverdriet wrote: On Wed, Sep 3, 2008 at 4:42 PM, Charles Wyble [EMAIL PROTECTED] wrote: Andrew Niemantsverdriet wrote: How to I prevent SOHO routers from handing out bogus DHCP information when they are plugged in backwards? Filter them upstream? How would I filter upstream? All clients go into a switch so I would have to filter at the switch level, what switches provide this? So what exactly did you mean by plugged in backwards? The WAN port instead of the LAN port? Can you explain your architecture a bit? This was more of a WISP dashboard program. The captive portal stuff was secondary the main part of the program was more of an access controller. It allowed the admin to control IP's maintain MAC ACL's Ah. Well check out ZeroShell for this. Its a very cool distro. Also check out Untangle. -- Charles Wyble (818) 280 - 7059 http://charlesnw.blogspot.com CTO Known Element Enterprises / SoCal WiFI project WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Preventing backwards router problems
On Thu, Sep 4, 2008 at 8:49 AM, Charles Wyble [EMAIL PROTECTED] wrote: Andrew Niemantsverdriet wrote: On Wed, Sep 3, 2008 at 4:42 PM, Charles Wyble [EMAIL PROTECTED] wrote: Andrew Niemantsverdriet wrote: How to I prevent SOHO routers from handing out bogus DHCP information when they are plugged in backwards? Filter them upstream? How would I filter upstream? All clients go into a switch so I would have to filter at the switch level, what switches provide this? So what exactly did you mean by plugged in backwards? The WAN port instead of the LAN port? Can you explain your architecture a bit? Yes, when I say plugged in backwards I mean that a LAN port is plugged into the WAN cable broadcasting bogus DHCP infomation. Currently the architecture is bridged. There are three access points (Ubquity NS2) that all come down to a switch the switch is then connected the gateway router that is running DHCP. This was more of a WISP dashboard program. The captive portal stuff was secondary the main part of the program was more of an access controller. It allowed the admin to control IP's maintain MAC ACL's Ah. Well check out ZeroShell for this. Its a very cool distro. Also check out Untangle. These are closer to what I want however not the original program that I am thinking of. The main feature that I am wanting is something that will allow authorized clients direct access to the internet no clicking ok to continue or anything like that. Un-authorized clients should be directed to a captive portal type deal. Thanks _ /-\ ndrew WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Preventing backwards router problems
I use PPPoE and NATing CPE... they could do whatever they wanted and they won't disturb anyone else. -- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com -- From: Andrew Niemantsverdriet [EMAIL PROTECTED] Sent: Wednesday, September 03, 2008 5:23 PM To: WISPA General List wireless@wispa.org Subject: [WISPA] Preventing backwards router problems How to I prevent SOHO routers from handing out bogus DHCP information when they are plugged in backwards? Also on a seperate note; long ago on this list there was a Linux distro that was basically a WISP management you put it on the gateway router and it only allowed MAC authorized clients to the internet everybody else was pointed to a captive portal. Does anybody remember this or could give me a link to it again? WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Preventing backwards router problems
On Thu, 4 Sep 2008, Andrew Niemantsverdriet wrote: Yes, when I say plugged in backwards I mean that a LAN port is plugged into the WAN cable broadcasting bogus DHCP infomation. Currently the architecture is bridged. There are three access points (Ubquity NS2) that all come down to a switch the switch is then connected the gateway router that is running DHCP. If the Ubiquity product or your switch has filtering capability, you can fix this there. Otherwise, you are kinda stuck given the network design. These are closer to what I want however not the original program that I am thinking of. The main feature that I am wanting is something that will allow authorized clients direct access to the internet no clicking ok to continue or anything like that. Un-authorized clients should be directed to a captive portal type deal. You can accomplish this in MANY ways. It can be done easily with Mikrotik, Imagestream can do this with powercode, others are out there. Not many that come default with this functionality, but perhaps there are more than I am aware of. -- *Butch Evans*Professional Network Consultation * *Network Engineering*MikroTik RouterOS * *573-276-2879 *ImageStream * *http://www.butchevans.com/ *StarOS and MORE * *http://blog.butchevans.com/*Wired or wireless Networks* *Mikrotik Certified Consultant *Professional Technical Trainer* WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Preventing backwards router problems
Canopy NAT and bootP filtering works like a champ to stop the mistake from causing problems upstream. - Original Message - From: Charles Wyble [EMAIL PROTECTED] To: WISPA General List wireless@wispa.org Sent: Thursday, September 04, 2008 8:49 AM Subject: Re: [WISPA] Preventing backwards router problems Andrew Niemantsverdriet wrote: On Wed, Sep 3, 2008 at 4:42 PM, Charles Wyble [EMAIL PROTECTED] wrote: Andrew Niemantsverdriet wrote: How to I prevent SOHO routers from handing out bogus DHCP information when they are plugged in backwards? Filter them upstream? How would I filter upstream? All clients go into a switch so I would have to filter at the switch level, what switches provide this? So what exactly did you mean by plugged in backwards? The WAN port instead of the LAN port? Can you explain your architecture a bit? This was more of a WISP dashboard program. The captive portal stuff was secondary the main part of the program was more of an access controller. It allowed the admin to control IP's maintain MAC ACL's Ah. Well check out ZeroShell for this. Its a very cool distro. Also check out Untangle. -- Charles Wyble (818) 280 - 7059 http://charlesnw.blogspot.com CTO Known Element Enterprises / SoCal WiFI project WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Preventing backwards router problems
Andrew, Really, you're asking the wrong question: the problem isn't that you need to filter out a rogue DHCP server as much as it is poor separation between customers. The DHCP server is a symptom of a larger problem of having all the customers on the same layer 2 broadcast domain. Even if you fix the DHCP problem with filtering, you still have some pretty big security issues here. What you need is for a means for all traffic from one customer to be separate from the other customers, below are some methods for doing that (they aren't necessarily either/or) solutions: - Many APs have client isolation, which keeps traffic from one client going to another. Some switches have this as well. - Doing a routed (as opposed to a bridged) network solves this problem. Generally is easier to troubleshoot, as well - PPPoE or similar between the customer premise and your network core Thanks, -Clint Ricker Kentnis Technologies On Thu, Sep 4, 2008 at 5:24 PM, Chuck McCown - 3 [EMAIL PROTECTED] wrote: Canopy NAT and bootP filtering works like a champ to stop the mistake from causing problems upstream. - Original Message - From: Charles Wyble [EMAIL PROTECTED] To: WISPA General List wireless@wispa.org Sent: Thursday, September 04, 2008 8:49 AM Subject: Re: [WISPA] Preventing backwards router problems Andrew Niemantsverdriet wrote: On Wed, Sep 3, 2008 at 4:42 PM, Charles Wyble [EMAIL PROTECTED] wrote: Andrew Niemantsverdriet wrote: How to I prevent SOHO routers from handing out bogus DHCP information when they are plugged in backwards? Filter them upstream? How would I filter upstream? All clients go into a switch so I would have to filter at the switch level, what switches provide this? So what exactly did you mean by plugged in backwards? The WAN port instead of the LAN port? Can you explain your architecture a bit? This was more of a WISP dashboard program. The captive portal stuff was secondary the main part of the program was more of an access controller. It allowed the admin to control IP's maintain MAC ACL's Ah. Well check out ZeroShell for this. Its a very cool distro. Also check out Untangle. -- Charles Wyble (818) 280 - 7059 http://charlesnw.blogspot.com CTO Known Element Enterprises / SoCal WiFI project WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Preventing backwards router problems
Clint Ricker wrote: (they aren't necessarily either/or) solutions: - Many APs have client isolation, which keeps traffic from one client going to another. Some switches have this as well. Wouldn't all switches have this by design and during normal operation (various exploits to sniff traffic non withstanding of course). - Doing a routed (as opposed to a bridged) network solves this problem. Generally is easier to troubleshoot, as well Yep. And improves performance as a general rule. - PPPoE or similar between the customer premise and your network core An excellent idea. Thanks, -Clint Ricker Kentnis Technologies WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Preventing backwards router problems
-- (they aren't necessarily either/or) solutions: - Many APs have client isolation, which keeps traffic from one client going to another. Some switches have this as well. Wouldn't all switches have this by design and during normal operation (various exploits to sniff traffic non withstanding of course). - Doing a routed (as opposed to a bridged) network solves this problem. Generally is easier to troubleshoot, as well - The fundamental problem is that Normal Switches are designed / default configuration for a LAN environment, in which you want one workstation to be able to talk to the next workstation. When doing a WAN setup, you want the opposite results, you DON'T want one subscriber to be able to talk to the other subscriber thru the switch (nor thru the radio for that matter). So the answer becomes YES and NO... L3 Switches that do Vlans, can be configured to do this, however normal Switches do not Regards Faisal Imtiaz -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charles Wyble Sent: Thursday, September 04, 2008 6:41 PM To: WISPA General List Subject: Re: [WISPA] Preventing backwards router problems Clint Ricker wrote: (they aren't necessarily either/or) solutions: - Many APs have client isolation, which keeps traffic from one client going to another. Some switches have this as well. Wouldn't all switches have this by design and during normal operation (various exploits to sniff traffic non withstanding of course). - Doing a routed (as opposed to a bridged) network solves this problem. Generally is easier to troubleshoot, as well Yep. And improves performance as a general rule. - PPPoE or similar between the customer premise and your network core An excellent idea. Thanks, -Clint Ricker Kentnis Technologies WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Preventing backwards router problems
do NOT use dhcp on your public network Some of the fancier AP's will block dhcp in one direction but not the other. Naturally, you'll normally want to set your ap's so that they prevent client to client communications. marlon - Original Message - From: Andrew Niemantsverdriet [EMAIL PROTECTED] To: WISPA General List wireless@wispa.org Sent: Wednesday, September 03, 2008 3:23 PM Subject: [WISPA] Preventing backwards router problems How to I prevent SOHO routers from handing out bogus DHCP information when they are plugged in backwards? Also on a seperate note; long ago on this list there was a Linux distro that was basically a WISP management you put it on the gateway router and it only allowed MAC authorized clients to the internet everybody else was pointed to a captive portal. Does anybody remember this or could give me a link to it again? WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Preventing backwards router problems
On Thu, 4 Sep 2008, Charles Wyble wrote: - Many APs have client isolation, which keeps traffic from one client going to another. Some switches have this as well. Wouldn't all switches have this by design and during normal operation (various exploits to sniff traffic non withstanding of course). Charles, All switches do not, unfortunately, have this capability. The switches (low end) will stop SOME traffic, but broadcast traffic (like DHCP DISCOVER) will NOT be stopped by the switch. In fact, if the switch DID stop this traffic, you'd not be able to do DHCP on a switched network, which is, of course, possible. - PPPoE or similar between the customer premise and your network core Clint, I agree that this is probably a best solution, but given the network he described, I'd approach it in a slightly different way. I can't recall who initially asked the question that started this thread, but my initial reaction, given the information you've provided regarding the network design. First, as Clint suggested, you should consider some design changes that would make the network more reliable AND easier to troubleshoot. With the network gear you've described, there is no easy way to create the separation between the APs. His suggestion to ensure you have client to client comms turned off is the first step. In order to create separation between the APs, you have one of 2 quick/easy choices. First, you can configure your switch to put each of the APs on a unique VLAN, then configure the router on the trunk port and separate/manage the traffic at the router. This is going to be the cheapest option IF your switch already supports VLANs with a trunk port option. The second option would be to physically separate the APs by putting them into different ports on your router (instead of on a switch). This option, of course, assumes you either already have the spare ethernet ports, or could add them easier/cheaper than you could do so with a switch. You never did mention what type of router you have. Please fill in this detail and we can provide a better/more complete answer. -- *Butch Evans*Professional Network Consultation * *Network Engineering*MikroTik RouterOS * *573-276-2879 *ImageStream * *http://www.butchevans.com/ *StarOS and MORE * *http://blog.butchevans.com/*Wired or wireless Networks* *Mikrotik Certified Consultant *Professional Technical Trainer* WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Preventing backwards router problems
Andrew Niemantsverdriet wrote: How to I prevent SOHO routers from handing out bogus DHCP information when they are plugged in backwards? Filter them upstream? Also on a seperate note; long ago on this list there was a Linux distro that was basically a WISP management you put it on the gateway router and it only allowed MAC authorized clients to the internet everybody else was pointed to a captive portal. Does anybody remember this or could give me a link to it again? Chillispot? Wifi-DOG? There are a few of them. -- Charles Wyble (818) 280 - 7059 http://charlesnw.blogspot.com CTO Known Element Enterprises / SoCal WiFI project WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
