Archived from groups: comp.sys.ibm.pc.hardware.chips (
More info?)
On Sun, 25 Sep 2005 06:06:14 +0200, DEMAINE Benoit-Pierre
<nntp_pipex@demaine.info> wrote:
>>>BUT but BUT: I want the wireless interface NOT TO BE BRIGED to LAN ethernet,
>>
>>
>> Not possible. 802.11 wireless is bridging by definition. No routing,
>> IP addresses, or services (such as IPSec) involved. There's no other
>> way to connect between wireless and wired devices other than bridging.
>
>are you sure ?
Yes, I'm sure it's bridging.
> then, what is my hand setted up gateway doing ???
That's the router section. Think of a "wireless router" as a
"wireless access point" glued to an "ethernet router". If done in
seperate boxes, the ethernet output from the access point would go to
one of the LAN inputs of the "ethernet router". When you set the IP
addresses and all that, you're setting the router section. The only
exception is that a stand along access point requires an IP address to
do configurations and system settings. That IP address is only use
for configuration and has nothing to do with the traffic.
>
>- 3 NICs
>- 1 Wireless adapter ...
>
>4 IPs
>and clients on any network can not even ping any other IP than the NIC of my gateway
>it is connected to ... not even the IP of wireless card if he is on wired NIC ...
Wanna bet? If you ignore the router part of the puzzle and just play
with an access point, the IP address of the access point can be
literally anything. In fact, that's exactly what I do on wireless
systems that I don't want the users to tinker with the access points.
I set the management IP address of the access point to something
that's out of the usual 192.168.1.0/24 block.
>what happens is that for simplicity, and dummy compliance, all manifacturers do
>brige wireless to wired ... BUT on all firewalling tutos, you will find that this
>kind of briging DO require to be activated ... aka is NOT available before you
>explicitely ask for it.
Sorry. I don't understand what you're asking or saying.
>I already DID set up routing, and/or briging on x86 boxes ...
>
>my actual question is: do any hardware router do that including IPSEC ?
>
>> Now, you could isolate the wired and wireless part with a router, VPN,
>> or filters, but that requires layer 3 services in addition to
>> bridging.
>
>that would mean set up a dedicated gateway between wired and wireless, which would
>decrypt IPSEC connections; that is precisely what I am too lame to do myself.
>
>> Overkill. You have WPA encryption for the wireless. On top of that,
>> you want to add VPN encryption. You don't really need both. WPA is
>> enough.
>
>WPA is hardware encryption: next year it will be broken = next year I can buy a new
>router, and ask all my clients to buy new cards ...
That's why I suggested you seperate the router function (with VPN) and
the wireless function. When the next great exploits or new acronyms
come out, you don't have to toss everything and start over.
>All we know about WPA is that it was secure yesterday ... and that when some one
>breaks it, you learn about it on forums only 6 months after all teenagers already
>craked company networks ...
Yawn. You're welcome to your own level of paranoia. However, if you
run on that assumption, there isn't an operating system, application,
or protocol that won't shortly be cracked by teenagers or university
grad students.
>In france, such security breaches can lead people to jail, even put in jail the one
>who have been attacked.
>
>> The bigger they are, the harder they crash. How about this
>> alternative? Use an access point, not a wireless router for the
>> wireless part of the puzzle. Use WPA encryption. Use a seperate
>> IPSec VPN router to terminate the tunnel. Netgear seems to have a
>> good selection:
>
>- depends on (weak) WPA
>- depends on an additional box
>
>=> twice more storage device + spinning disk + 2 systems + 2 supplies = 4 times more
>reasons to crash.
>
>and my problem is that IWANT TO AVOID SETTING UP MANUALLY THE IPSEC SERVER.
Good luck. IPsec is no fun to setup. Lots of settings. Lots of
potential incompatibilities between servers and clients. Lots of
things to go wrong. To the best of my knowledge, nobody has a
non-manual IPSec VPN setup.
>> There's no other
>> way to connect between wireless and wired devices other than bridging.
>
>looks like you missed a point: I never said I want my networks to be in the same IP
>ranges ... would any admin want to keep in the same range all computers of the
>building ? who would be mad enough to try to keep transparent briging between all
>computers ? who would try to interconnect more than 1000 computers on the same segment ?
I think you missed my point. 802.11 wireless is bridging. I still
recall wireless access points that didn't have an IP address for
configuration and had to be set via a serial port. There's no layer 3
stuff involved in bridging. That doesn't mean you have to setup your
entire network without any routers and using just bridging. However,
that's exactly the way a typical hot spot or home network is setup.
The users bridge (encapsulate 802.3 ethernet inside 802.11 wireless
packets) between client radios and the access point. The IP stack is
in the client, not the wireless client. At the access point, it goes
to a router, which deals with the IP addresses, routing, and such.
>Even at home, it is out of order to have wireless in the same IP range that wired LAN.
Most systems I've seen use a common /24 IP block for everything. If
there's a VPN server in the system, the VPN server delivers an IP
address through the tunnel to the client, which is used instead of the
DHCP assigned IP address. I think that's what you're talking about.
>Honney pots will fill holes
>
>DHCP+DNS will make things transparent for users.
Sigh. Good luck...
--
# Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
# 831.336.2558 voice Skype: JeffLiebermann
#
http://www.LearnByDestroying.com AE6KS
#
http://802.11junk.com
# jeffl@comix.santa-cruz.ca.us
# jeffl@cruzio.com
Facebook
Twitter
Instagram