[BAWUG] WAPs with built in router-firewall

Thu, 26 Sep 2002 04:01:09 -0700 

There are a number of WAPs appearing on the market now aimed at the 
residential market which combine a WAP with 4 ethernet ports, NAT, DHCP, 
a firewall-router and support for connecting to an upstream ADSL-Cable 
broadband system. A typical example is the Buffalo WLAR-L11G-L
http://www.buffalo-technology.com/products/wireless/wlar-l11g-l.htm

Since these all have very similar specs and price I'm guessing that they 
are all made in the same factory and OEMed to the manufacturers 
(Linksys, Buffalo etc).

Has anyone got real experience of setting up and configuring these?

The reason I ask is that they appear to have a fairly comprehensive 
packet filtering firewall built in. So it looks like it should be 
possible to run a wide open WLAN but still apply enough rules to 
adequately secure both the local LAN and trusted WLAN stations while 
giving access to guests that still prevents the more dangerous exploits. 
In other words, doing a lot of NoCat's job without needing a Linux 
gateway.

I'm picturing a layout somewhat like this.

No WEP
I) ISP - ADSL/Cable - Modem - (   WAP    ) /- G) WLAN Guest
                               (DHCP  DHCP) \- T) WLAN Trusted
                               (PPPOE  NAT) /- S) LAN  Server
                               ( Firewall ) \- P) LAN  PC

G -> I Everything allowed except the ISPs SMTP server

G -> T,S,P Denied

T, S, P -> I, T, S, P allow everything

I -> T, P denied

I -> S denied with a few exceptions depending on what services you want 
to expose.

This would require (I think) MAC identification on T and a VPN for T,S,P 
MAC Spoofing would be a concern. I'm unsure what else should be denied 
from G). Some bandwidth shaping of G) would be desirable just to stop 
them using Gnutella or other very high bandwidth apps.

Any flaws in this reasoning? Anyone tried it?

The target audience for this is the technically naive home user[1]. If 
we can get it right, then we can offer a simple set of configuration 
FAQs that encourage home bandwidth sharing via WiFi.
[1]Probably MS Windows but possibly Apple

-- 
Julian Bond Email&MSM: [EMAIL PROTECTED]
Webmaster:              http://www.ecademy.com/
Personal WebLog:       http://www.voidstar.com/
CV/Resume:          http://www.voidstar.com/cv/
M: +44 (0)77 5907 2173   T: +44 (0)192 0412 433
--
general wireless list, a bawug thing <http://www.bawug.org/>
[un]subscribe: http://lists.bawug.org/mailman/listinfo/wireless

Reply via email to