Re: [Shorewall-users] Securely adding & isolating a 2nd wifi SSID from a single Physical Adapter, with completely different access policy?

darrin . thomas Wed, 15 Mar 2017 07:34:30 -0700

> Being pedantic, it shows the packet being matched by a rule or policy. A 
> packet sniffer would show if it was actually going out through the interface.


Ok good point.

> The first thing that comes to mind is ... do you have an entry in masq that 
> will change the source address ? That's bitten me more than once :-(

Yeah, I had that in place.

I'm working on simplifying.  I'm bound and determined to get this figured out 
this time by reading the manuals and understanding the way things work! :-)

I've removed the "passthrough Guest" for the moment, and switched to JUST a 
WiFi connection into the shorewall-defined LAN.

As I understand it this *should* work just like everything else already in/on 
my LAN.

If I attach a standalone WiFi router, configured as an AccessPoint, to my LAN

        router
          |
          | ( "INT" interface )
          |
        ethernet switch
          |
          |-- standalone AP 
          |
        ( my LAN )

and connect a phone to it, the phone's *in* my shorewall-defined LAN, 
everything works fine.  I can access the net from my phone, just

If instead I set it up with a WiFi adapter,

                ( "WIFI" interface )
        router ---------------------- USB WiFi adapter
          |
          | ( "INT" interface )
          |
        ethernet switch
          |
          |
        ( my LAN )

with hostapd & dhcpd running on the router, and the WiFi adapter added to the 
LAN in shorewall's "interfaces"

        net       EXT       
optional,physical=$EXTIF,dhcp,tcpflags,nosmurfs,logmartians=1,routefilter=1,sourceroute=0
        lan       WIFI      
optional,physical=$WIFIIF,dhcp,tcpflags,logmartians=1,routefilter=0
        -         INT                
physical=$INTIF,dhcp,tcpflags,logmartians=1,routefilter=0

I can 

        (1) see the WiFi adapter's hostapd-generated SSID scan
        (2) connect/authenticate the phone to the AP
        (3) get a dhcpd-generated IP address for the phone

where the dhcpd server is listening additionally on the $WIFIIF.

But I can't access the 'net from the phone over WiFi.

Now I need to figure out what policy, rule, whatever --  above & beyond what 
the LAN rules/policies already allow -- is needed to get that last step of 
communicating "across" the WIFI interface to the net.


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] Securely adding & isolating a *2nd* wifi SSID from a single Physical Adapter, with completely different access policy?

Reply via email to

Re: [Shorewall-users] Securely adding & isolating a 2nd wifi SSID from a single Physical Adapter, with completely different access policy?