[Shorewall-users] Securely adding & isolating a *2nd* wifi SSID from a single Physical Adapter, with completely different access policy?

Mon, 13 Mar 2017 07:17:05 -0700 

I'm adding WiFi to my Shorewall router.

In "step 1" (earlier thread) I added a wifi adapter, device == wlan0, to zone 
== wifi0.

I assigned a unique segment to its DMZ, 10.128.128.0/24, whereas the rest of my 
LAN is on 10.1.1.0/24.

Using policies I set it up for passthrough access

        net    wifi0   ACCEPT
        wifi0  net     ACCEPT
        all    wifi0   REJECT
        wifi0  all     REJECT 

got DHCP & PING working, and got hostapd running with wlan0.

Now I can log in to the wifi0 zone, get an IP in its segment, and access the 
net -- bypassing the 'net.  Exactly what I wanted.

I learned that hostapd can broadcast multiple SSIDs on a single adapter.

As 'step 2', I want to add a second SSID for login -- but integrated into my 
LAN, *not* isolated from it.

I configured hostapd so that it creates two 'virtual' interfaces,

        wlan0, 10.128.128.0/24
        wlan1, 10.2.2.0/24

I want wlan1 'fully integrated' into my LAN -- subject to same access rules, 
protections etc., while wlan0 still functions exactly as above.

IIUC I can either

(1) put wlan1 on a bridge with my already setup internal ethernet interface
(2) put wlan1 in another DMZ segment, and setup access policies or rules

I understand from docs how I'd do (1).

I want to figure out how to do (2) safely.

If I assign the 2nd interface, wlan1, to a 2nd zone == wifi1, & add policies

        net    wifi0   ACCEPT
        wifi0  net     ACCEPT
        all    wifi0   REJECT
        wifi0  all     REJECT
        $FW    $FW     ACCEPT
        $FW    all+    ACCEPT
+       wifi1  $FW     ACCEPT
+       lan    wifi1   ACCEPT
+       wifi1  lan     ACCEPT

will that provide my wifi1-logged-in users full access to the LAN == lan zone, 
**AND** keep it safely isolated from the 'passthrough' wlan0?

I want to make sure that since 'wlan0' and 'wlan1' are both attached to the 
same PHYSICAL interface -- on the same adapter, coordinated/assigned by hostapd 
-- that I'm not somehow re-opening an insecure 'leak' between wlan0 and my LAN, 
by providing that access to wlan1.

DT

------------------------------------------------------------------------------
Announcing the Oxford Dictionaries API! The API offers world-renowned
dictionary content that is easy and intuitive to access. Sign up for an
account today to start using our lexical data to power your apps and
projects. Get started today and enter our developer competition.
http://sdm.link/oxford
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to