-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 03/13/2017 07:13 AM, darrin.tho...@123mail.org wrote: > I'm adding WiFi to my Shorewall router. > > In "step 1" (earlier thread) I added a wifi adapter, device == > wlan0, to zone == wifi0. > > I assigned a unique segment to its DMZ, 10.128.128.0/24, whereas > the rest of my LAN is on 10.1.1.0/24. > > Using policies I set it up for passthrough access > > net wifi0 ACCEPT wifi0 net ACCEPT all wifi0 REJECT > wifi0 all REJECT > > got DHCP & PING working, and got hostapd running with wlan0. > > Now I can log in to the wifi0 zone, get an IP in its segment, and > access the net -- bypassing the 'net. Exactly what I wanted. > > I learned that hostapd can broadcast multiple SSIDs on a single > adapter. > > As 'step 2', I want to add a second SSID for login -- but > integrated into my LAN, *not* isolated from it. > > I configured hostapd so that it creates two 'virtual' interfaces, > > wlan0, 10.128.128.0/24 wlan1, 10.2.2.0/24 > > I want wlan1 'fully integrated' into my LAN -- subject to same > access rules, protections etc., while wlan0 still functions exactly > as above. > > IIUC I can either > > (1) put wlan1 on a bridge with my already setup internal ethernet > interface (2) put wlan1 in another DMZ segment, and setup access > policies or rules > > I understand from docs how I'd do (1). > > I want to figure out how to do (2) safely. > > If I assign the 2nd interface, wlan1, to a 2nd zone == wifi1, & add > policies > > net wifi0 ACCEPT wifi0 net ACCEPT all wifi0 REJECT > wifi0 all REJECT $FW $FW ACCEPT $FW all+ ACCEPT + > wifi1 $FW ACCEPT + lan wifi1 ACCEPT + wifi1 lan > ACCEPT > > will that provide my wifi1-logged-in users full access to the LAN > == lan zone, **AND** keep it safely isolated from the 'passthrough' > wlan0? > > I want to make sure that since 'wlan0' and 'wlan1' are both > attached to the same PHYSICAL interface -- on the same adapter, > coordinated/assigned by hostapd -- that I'm not somehow re-opening > an insecure 'leak' between wlan0 and my LAN, by providing that > access to wlan1. >
What I would do is simply add wlan1 to the loc zone. - -Tom - -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.net \________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJYxrtPAAoJEJbms/JCOk0QwvMP/0+g09Qm61YV2lsccp1mnjJn noxy7DSA1poHZSkJft3y/lEv7PCU0gCAW+5Ia110o+YvMkwdXRt5M6aFC1Aluq/k Vzu/Xs50m0XHXCWFcsY8Pk8Zc4w3L7p0N2VGmkWM6K+96oEJKxQ5vEXbsgZIVdNd RKNCuEyr7FZ+alvWaO5mdr7sD5vUEkbcjkasEOjN9X3k+fLeSAgNjNz2/3q1IdoF K/clPhlLoBgd6nI1etZR3m5HVSaOtBKJDVIprIzO2Ml/Y7tu/Fi9Ett8tckCIX5Z Rf5imYXu0+PIfDbxkAKNm/Qo69O4VKlylSlsZOl+Qy3Fqf3eEzCLVuZ5fPVzZ+H2 RfdhBpmPr4nrAtXd+xkB5+KHAgDcnpecNK7MSu/Ji4oYMmRrDLku0mfbRlFsE/GP lllrM10F9jG5TpyC/ILQzL7tC8tT4BvgFFu9XrID0FM3Vb7MIoMCrlPfscSzQFoD jOiL2L/D7ZEM2osuuS6hx9irUTfyMgfVeDZVin0rksGl166JYmh/FWvqvnGyOT/c YamVne1dLkjLTbF13hzKrLEZAU0PMKBBuvfOM/gaYKOjEDNm7oisZ962BiKCkikz yOUhEu73I8AkGJ+8TJHNJxAF33/tJFslpDAW08bqSsaxRJqmsWq8UxGod3G0dFH1 g09wPHfZe3KjFNEAIYJB =5N4Z -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
