Or, as PPPoE, client gets a /32 and a default gateway that allows everything to route.
Why would the customer with a public need to be on a subnet by themselves, thus needing 4 IPs?
Scott Reed
Owner
NewWays
Wireless Networking
Network Design, Installation and Administration
www.nwwnet.net
The season is Christmas, not X-mas, not the holiday, but Christmas, because
Christ was born to provide salvation to all who will
believe!
---------- Original Message
-----------
From: "Mark Koskenmaki" <[EMAIL PROTECTED]>
To: "WISPA General List" <wireless@wispa.org>
Sent: Wed, 7 Dec 2005 10:56:54 -0800
Subject: Re: [WISPA] How toAuthenticate/Protect(WasEthernetbasedauthentication)
> For a customer to have single computer with a
public IP, I do have to use 4 IP
addresses.
>
> There's the broadcast, network, and two hosts -
one
being the gateway and one is the
host.
>
> However, I have only something like 5 clients
with
publid IP's on thier side, every other client has NAT done at thier end, so,
thier CPE has a public IP interface, but all of thier machines have private
IP's. They can have multiple computers, and they generally just
share one public
IP.
>
> So, for the most part, I use one public IP
per client - however... I subnet each access point, which has a 16 or 32 IP
subnet attached to it. And again, this "wastes" 3 IP's per
subnet... your broadcast, network, and of course, gateway IP.
>
> However, monitoring traffic on the network
shows
almost zilch for anything other than actual USE on the network.
>
> So, while I suppose we're technically "wasting"
some IP's, we have a return for it, in that actually attacking client's machines
is almost impossible, and my network is free of most broadcast and non-ip
traffic.
>
> I hope to implement BGP and OSPF within 6
months
network-wide. We'll have to see how this affects our traffic levels
negatively...
>
>
>
> North East Oregon Fastnet, LLC 509-593-4061
> personal
correspondence
to: mark at neofast dot net
> sales inquiries to: purchasing
at
neofast dot net
> Fast Internet, NO
WIRES!
>
-----------------------------------------------------------------------------
> ----- Original Message -----
> From:
Marlon K.
Schafer (509) 982-2181
> To: WISPA General List
> Sent: Wednesday, December 07, 2005 10:15
AM
> Subject: Re: [WISPA] How
toAuthenticate/Protect(WasEthernetbasedauthentication)
>
> I'm no expert so you guys feel free
to correct me
as
needed.....
>
> The smallest subnet needs 4 ip addys to
work. Even if it's three you get the idea. Still a huge waste of a
very limited and harder to get all the time
resource.
>
> Marlon
> (509)
982-2181
Equipment sales
> (408) 907-6910
(Vonage)
Consulting services
> 42846865
(icq)
And I run my own wisp!
> 64.146.146.12 (net meeting)
> www.odessaoffice.com/wireless
>
www.odessaoffice.com/marlon/cam
>
>
>
> ----- Original Message -----
> From:
Scott Reed
> To: WISPA General List
> Sent: Wednesday, December 07, 2005
10:12
AM
> Subject: Re: [WISPA] How
toAuthenticate/Protect(WasEthernetbasedauthentication)
>
> How were you looking at routing to use 3 for
1? I have never setup routing that way and would like to be sure I
don't. I am running
> fully routed from the get-go, with 3
internal
routers and a 4th going in Friday. Actually 2 MTs as router only and 2
that are
> "routing APs".
>
> Scott
Reed
> Owner
> NewWays
> Wireless Networking
> Network Design,
Installation and
Administration
> www.nwwnet.net
>
> The season is Christmas,
not X-mas,
not the holiday, but Christmas, because
> Christ was born to provide
salvation to all who will believe!
>
> ---------- Original
Message
-----------
> From: "Marlon K. Schafer (509) 982-2181"
<[EMAIL PROTECTED]>
> To: "WISPA General List"
<wireless@wispa.org>
> Sent: Wed, 7 Dec 2005 10:05:52 -0800
> Subject: Re: [WISPA] How to
Authenticate/Protect(WasEthernetbasedauthentication)
>
> >
The idea,
for me is that by the time a company gets to the point that they
>
>
need to route they'll either know what they are doing. And/or they'll
have
> > someone on staff just to handle that issue.
> >
> >
The other problem I ran into back when was a shortage of ip addys. And
> > routing to every customer wastes three ip addys for every one
you
get to
> > actually use. I don't think that's responsible
stewardship.
>
> >
> > My new ap's block client
to client
communications, and new manages switches
> > that will vlan and
packet
filter will be the next upgrades I'll do.
> >
> > We
just broke
the network in two. So I've got 150ish broadband subs on one
>
>
system and 150 on another. Not exact numbers but close. One of
the systems
> > went from t-1 to 10 meg so I don't have good
numbers as
to performance
> > issues.
> >
> > The other
one still has
100 megs coming into it. On that system I see no
> >
difference.
> >
> > I'm sure there's room for improvement.
There always
will be if a guy wants
> > to stay anywhere near the head of the
pack.
> >
> > One other thing that's not been brought up yet
is over
building. Today we
> > can build 3 to 10x more capacity into
the
network than the average customer
> > is demanding for the same
cost or
very nearly so as building to meet
> > customer demands.
Having
more capacity than is needed, so far, is allowing
> > us to
significantly simplify the network. Anyone can walk in here tomorrow
> > and take over with a few phone calls to tech support at most.
There's
> > nothing fancy going on here. That's part
of why
I can take care of 250
> > wireless subs, 50 fiber customers and
hundreds of dialup people with me and
> > two gals that share a
part
time office job. Our wireless churn is almost
> > nil.
I've
lost a couple lately due to some trouble at a tower site. It's
> > caused by jerk off competitors and their 1 watt amps and 15+
db
sector
> > antennas though. And I tried to use a $120 sector
where I normally use $400
> > ones. I'm not sure I'll ever
learn
that lesson :-).
> >
> > Will we have to redo the
network at some
point in the future? Sure. Will
> > it suck?
Sure.
But that's then and this is now. We just redid half of it
> > and it sucked. Big time. But only for a few days.
WE have taken the time
> > to teach our customers how to do
their
own networking stuff just like we
> > took the time to teach them
how
to do their own dialup stuff. When we need
> > to make
changes
(or the customer changes their gear) they can usually take
> >
care of
it themselves or with a little help from us via the phone.
> >
> >
Both models work. The real trick is making sure that they get deployed
in
> > the right situation. Too big of a hammer is sometimes
just
as bad as too
> > small of a one or vice verse.
> >
> > Oh
yeah, I'm tired of hearing small networks getting talked down to. With
> > 100 subs the average guy should be putting $2,000 to $3,000
per
month in the
> > bank. That's enough money to keep the
average
mom home with the kids! We'd
> > be there today if we would
just
stop growing. Man, a mom at home with the
> > kids AND good
cars
to drive and a dad that's not working 80 hours per week.
> > Small
WISPs are right in there with the American dream man! This is good
> > stuff!
> >
> > Laters,
> >
Marlon
> > (509)
982-2181
Equipment sales
> > (408) 907-6910 (Vonage)
Consulting services
> > 42846865 (icq)
And I run my own wisp!
> > 64.146.146.12 (net meeting)
> > www.odessaoffice.com/wireless
> > www.odessaoffice.com/marlon/cam
> >
>
> -----
Original Message -----
> > From: "Lonnie Nunweiler"
<[EMAIL PROTECTED]>
> > To: "WISPA General List"
<wireless@wispa.org>
> > Sent: Tuesday, December 06, 2005
5:43 PM
> > Subject: Re: [WISPA] How to
> >
Authenticate/Protect(WasEthernetbasedauthentication)
> >
>
> And
that is the second thing that guys do wrong. They use simple
>
>
bridged clients which are vulnerable to the issue of the backwards
>
>
router and they create a host of other issues.
> >
> >
You are
building a network that connects to the Internet so why not
> >
use the
same network design that the Internet uses? Routed. Sure you
> > will find sections that are bridged but anything that leaves
the
> > backbone is routed to the customer.
> >
>
> Bridged or
rather no design is fine for small simple networks. Just
> >
plug
things in and get on to the next job. As you grow the troubles
> > will begin and then, eventually, you will have to reorganize
your
> > entire network and move to a routed design. Why wait for
all
that
> > pain? Do it right, from the start. Allow
yourself
to grow and not
> > have to go through that second painful
redesign.
> >
> > I am usually silent and just watch the lists,
but when I
see wrong
> > advice given I cannot watch in silence. It is
wrong
to not use DHCP
> > and it is wrong to use a bridged design.
If
you have intentions of
> > doing any sort of large customer base,
please plan it correctly from
> > the start. Do not listen
to the
guys who tell you to do it quick and
> > dirty. I know this
sounds preachy, but man, I get 10 calls a day from
> > people who
have
stated out quick and dirty and they reach a certain
> > size or
get
certain types of traffic, and their network just
> > collapses.
The fix is to go to routed and when they realize how much
>
>
work it is to convert it, they all wish they had followed my
> >
consistent advice. For more than 5 years I have said the same thing
> > on the various lists. I even got kicked off the Judd
list for
not
> > backing down and agreeing that hacked together bridges
were the
way to
> > go.
> >
> > Regards,
> >
Lonnie
> >
> > On 12/6/05, Marlon K. Schafer (509) 982-2181
<[EMAIL PROTECTED]> wrote:
> > > Yeah, until some
lunkhead
plugs his dsl router in backward. As they do
> > > all
> > > the time around here....
> > >
> >
> No
thanks, no more DHCP troubles for me. Been there done that.
Twice.
> > > Never again.
> > >
> > >
Marlon
> > > (509) 982-2181
Equipment sales
> > > (408) 907-6910 (Vonage)
Consulting services
>
>
> 42846865 (icq)
And I
run my own wisp!
> > > 64.146.146.12 (net meeting)
>
> > www.odessaoffice.com/wireless
> > > www.odessaoffice.com/marlon/cam
> > >
> >
>
> > >
> > > ----- Original Message -----
> > >
From: "Lonnie Nunweiler" <[EMAIL PROTECTED]>
> >
>
To: <[EMAIL PROTECTED]>; "WISPA General List"
<wireless@wispa.org>
> > > Sent: Tuesday, December 06,
2005
2:27 PM
> > > Subject: Re: [WISPA] How to Authenticate/Protect
> > > (WasEthernetbasedauthentication)
> > >
> > >
> > > The same way you do it if you didn't run DHCP. Use
PPPoE, HotSpot,
> > > static DHCP based on MAC, ACL for
association
at the AP, any number of
> > > ways.
> > >
> > >
DHCP has little to do with authentication, although it can be a part
> > > of the process. What DHCP does is automate the user
TCP
settings so
> > > that if you renumber your system in order to
move
to routing it is
> > > painless to assign new numbers. If
you
have to change DNS servers
> > > then that is also easy.
Just
change the DHCP config and within an
> > > hour everybody is
using
the new DNS.
> > >
> > > Don't run a network
without it.
It is priceless.
> > >
> > > Lonnie
>
> >
> > >
> > > On 12/6/05, Ron Wallace
<[EMAIL PROTECTED]> wrote:
> > > > Lonnie,
> >
> > So Lonnie, if I run DHCP, on my customers IP's, how do I
authenticate
> > > > the users. I'm a real rookie at
this.
> > > > Ron Wallace
> > > > ---- Original
message ----
> > > > >Date: Tue, 6 Dec 2005 11:52:08 -0800
>
> >
> >From: Lonnie Nunweiler <[EMAIL PROTECTED]>
>
>
> > >Subject: Re: [WISPA] How to Authenticate/Protect (WasEthernet
> > > > basedauthentication)
> > > > >To:
WISPA
General List <wireless@wispa.org>
> > > > >
> >
> > >If you take Marlon's advice and do not run DHCP then you get
to have
> > > > >that personal contact with each and
every
subscriber if you ever have
> > > > >to change network
settings. With DHCP running it is real simple and
> > >
>
>quick to edit the DHCP config and wait for the DHCP client renewal .
> > > > >
> > > > >My advice is
completely the
opposite. Use DHCP for all of your
> > > >
>customers.
You will be happy you did and will mutter things when you
>
>
> > >encounter someone who is not on DHCP.
> > > >
>
> > > > >The personal contact is nice but what if you
have
several hundred
> > > > >customers? That is just a
little too nice for my tastes.
> > > > >
> >
> >
>Lonnie
> > > > >
> > > > >On
12/6/05, Marlon
K. Schafer (509) 982-2181 <[EMAIL PROTECTED]>
> > >
>
wrote:
> > > > >> Don't run DHCP! And use mac
filtering at the ap's. (I use the
> > > >
smartbridges
> > > > >> ap's. they'll do radius and authenticate
wireless subs just like my
> > > > dialup
> > >
>
>> ones.)
> > > > >>
> > > >
>>
Marlon
> > > > >> (509) 982-2181
Equipment sales
> > > > >> (408)
907-6910 (Vonage)
Consulting services
> > > > >> 42846865
(icq)
And I run my own
>
>
> > wisp!
> > > > >> 64.146.146.12 (net meeting)
> > > > >> www.odessaoffice.com/wireless
> > > >
>>
www.odessaoffice.com/marlon/cam
> > > >
>>
> > > > >>
> > > > >>
> >
> > >> ----- Original Message -----
> > > >
>>
From: "Jason" <[EMAIL PROTECTED]>
> > > >
>> To: "WISPA General List" <wireless@wispa.org>
> >
>
> >> Sent: Monday, December 05, 2005 9:39 PM
> > >
>
>> Subject: Re: [WISPA] How to Authenticate/Protect (WasEthernet
> > > > >> basedauthentication)
> > >
> >>
> > > > >>
> > > > >> >
Marlon,
> > > > >> >
> > > > >> >
I appreciate the advice. Mostly I am interested in bullet proof
> > > > >> > authentication of my clients.
Any
suggestions?
> > > > >> >
> > > >
>>
> Jason
> > > > >> >
> > > >
>> >
Marlon K. Schafer (509) 982-2181 wrote:
> > > > >>
>
> > > > >> >> Hiya Jason,
> > >
> >>
>>
> > > > >> >> You are mixing your
networks.... You won't normally run a
> > > > homebrew
> > > > >> >> product to provide a top notch
service.
> > > > >> >>
> > > > >>
>> If
security is of THAT great an importance to you, you should NOT
> >
>
> run
> > > > >> >> wifi anything. Put
in
something much more off the wall. It's a
> > > > lot
> > > > >> >> harder to snoop if you don't use
one of
the world's most common
> > > > >> >> protocols.
> > > > >> >>
> > > > >>
>>
For these business guys I'd run Trango or something like that.
> >
>
> Good
> > > > >> >> stuff but not nearly as
much
of it in use and no free tools on the
> > > > >>
>>
internet for intercepting and cracking the data stream.
> > >
>
>> >>
> > > > >> >> What we do is
remind
our customers that this is the internet.
> > > > They are
> > > > >> >> hanging out there for thousands
upon
thousands of people who's
> > > > only
> > >
>
>> >> purpose in life is breaking into their machines and seeing
what
> > > > they can
> > > > >>
>> learn.
If they have data that's that sensitive then they need a
> >
>
> high end
> > > > >> >> internal firewall
and
they need to VPN all internet traffic.
> > > > >>
>>
> > > > >> >> That help?
> > > >
>>
>> Marlon
> > > > >> >> (509) 982-2181
Equipment sales
> > > >
>> >> (408) 907-6910 (Vonage)
Consulting services
> > >
>
>> >> 42846865 (icq)
And I run my
> > > > own wisp!
> > >
> >>
>> 64.146.146.12 (net meeting)
> > > > >>
>> www.odessaoffice.com/wireless
> > > >
>>
>> www.odessaoffice.com/marlon/cam
> > > >
>> >>
> > > > >> >>
> >
> >
>> >>
> > > > >> >> ----- Original
Message ----- From: "Jason"
> > > >
<[EMAIL PROTECTED]>
> > > > >>
>> To:
"WISPA General List" <wireless@wispa.org>
> > > >
>>
>> Sent: Friday, December 02, 2005 3:20 PM
> > > >
>>
>> Subject: [WISPA] How to Authenticate/Protect (Was Ethernet
>
>
> > >> >> basedauthentication)
> > > >
>>
>>
> > > > >> >>
> > > >
>>
>>> List,
> > > > >> >>>
>
> >
> >> >>> I am on the precipice, ready to take
the plunge and become a
> > > > WISP
> > > >
>>
>>> (After 1 year of zoning, permits, 16 hr days, etc), but one
> > > > thing still
> > > > >>
>>>
bothers me. I haven't decided how to authenticate clients to my
> > > > network
> > > > >>
>>> and
REALLY protect their data. The CPE's I will use,
> > >
>
rootenna/Senao2611
> > > > >> >>> combos, do
only
WEP, which only obfuscates data nowadays. MAC
> > > >
addresses
> > > > >> >>> can be cloned. Proxy
login
via a browser is obnoxious for the
> > > > end user.
> >
> > >> >>> Ditto PPPoE & VPN logins. There is
just no elegant, KISS
> > > > solution. I
>
> >
> >> >>> was looking at PPPoE or PPTP (poptop/linux) with
Radius as my
> > > > system,
> > > >
>>
>>> since this would accomplish it, but seems like so much trouble
> > > > and
> > > > >> >>>
overhead.
PPTP is not Mac friendly, PPPoE requires clients
> > > >
(gasp)
or a
> > > > >> >>> router (gack!) and the
PPPoE
server shipping with Linux is
> > > > meant "for
>
> >
> >> >>> testing purposes only - man". I want an
Always On (apparently)
> > > > system
> > >
> >>
>>> for my clients that just works.
> > > >
>>
>>>
> > > > >> >>> How do you other
(small) WISPs do this?
> > > > >> >>>
> >
> > >> >>> Tangent: How do you Senao 2611
users keep Netbios & windows
> > > > network
>
> >
> >> >>> neighborhood data off the wireless network.
I was told to add a
> > > > SOHO
> > >
>
>> >>> router to the mix, but don't want to invest in more
equipment to
> > > > >> >>> maintain.
> >
> > >> >>>
> > > > >>
>>>
Jason Wallace
> > > > >> >>> --
> >
> >
>> >>> WISPA Wireless List: wireless@wispa.org
> >
>
> >> >>>
> > > > >> >>>
Subscribe/Unsubscribe:
> > > > >> >>> http://lists.wispa.org/mailman/listinfo/wireless
>
>
> > >> >>>
> > > > >>
>>>
Archives: http://lists.wispa.org/pipermail/wireless/
> >
>
> >> >>>
> > > > >> >>
> >
> > >> > --
> > > > >> > WISPA
Wireless
List: wireless@wispa.org
> > > > >> >
> >
> >
>> > Subscribe/Unsubscribe:
> > > > >> >
http://lists.wispa.org/mailman/listinfo/wireless
>
>
> > >> >
> > > > >> > Archives: http://lists.wispa.org/pipermail/wireless/
> >
>
> >> >
> > > > >>
> > > >
>>
--
> > > > >> WISPA Wireless List: wireless@wispa.org
> > > > >>
> > > > >>
Subscribe/Unsubscribe:
> > > > >> http://lists.wispa.org/mailman/listinfo/wireless
>
>
> > >>
> > > > >> Archives: http://lists.wispa.org/pipermail/wireless/
> >
>
> >>
> > > > >
> > > > >
> > >
> >--
> > > > >Lonnie Nunweiler
> > >
>
>Valemount Networks Corporation
> > > > >http://www.star-os.com/
> > > > >--
> > > > >WISPA Wireless
List:
wireless@wispa.org
> > > > >
> > > >
>Subscribe/Unsubscribe:
> > > > >http://lists.wispa.org/mailman/listinfo/wireless
>
>
> > >
> > > > >Archives: http://lists.wispa.org/pipermail/wireless/
> >
>
> Ron Wallace
> > > > Hahnron, Inc.
> > >
> 220 S.
Jackson St.
> > > > Addison, MI 49220
> > >
>
> >
> > Phone: (517) 547-8410
> > > > Mobile:
(517)
605-4542
> > > > e-mail: [EMAIL PROTECTED]
> >
> > --
> > > > WISPA Wireless List: wireless@wispa.org
> > > >
> > > > Subscribe/Unsubscribe:
> > >
> http://lists.wispa.org/mailman/listinfo/wireless
>
>
> >
> > > > Archives: http://lists.wispa.org/pipermail/wireless/
> >
>
>
> > >
> > >
> > > --
>
> > Lonnie
Nunweiler
> > > Valemount Networks Corporation
> >
> http://www.star-os.com/
> > > --
> > > WISPA Wireless List:
wireless@wispa.org
> > >
> > > Subscribe/Unsubscribe:
> >
> http://lists.wispa.org/mailman/listinfo/wireless
>
>
>
> > > Archives: http://lists.wispa.org/pipermail/wireless/
> >
>
> > > --
> > > WISPA Wireless List:
wireless@wispa.org
> > >
> > > Subscribe/Unsubscribe:
> >
> http://lists.wispa.org/mailman/listinfo/wireless
>
>
>
> > > Archives: http://lists.wispa.org/pipermail/wireless/
> >
>
> >
> > --
> > Lonnie Nunweiler
> >
Valemount Networks
Corporation
> > http://www.star-os.com/
> > --
> >
WISPA
Wireless List: wireless@wispa.org
> >
> >
Subscribe/Unsubscribe:
> > http://lists.wispa.org/mailman/listinfo/wireless
>
>
> > Archives: http://lists.wispa.org/pipermail/wireless/
> >
> > --
> > WISPA Wireless List: wireless@wispa.org
> >
> > Subscribe/Unsubscribe:
> > http://lists.wispa.org/mailman/listinfo/wireless
>
>
> > Archives: http://lists.wispa.org/pipermail/wireless/
>
-------
End of Original Message -------
>
>
> --
> WISPA Wireless List:
wireless@wispa.org
>
> Subscribe/Unsubscribe:
>
http://lists.wispa.org/mailman/listinfo/wireless
>
> Archives:
http://lists.wispa.org/pipermail/wireless/
>
>
> --
> WISPA Wireless List:
wireless@wispa.org
>
> Subscribe/Unsubscribe:
>
http://lists.wispa.org/mailman/listinfo/wireless
>
> Archives:
http://lists.wispa.org/pipermail/wireless/
>
------- End of Original Message
-------
|