Date: Fri, 16 Feb 2001 07:40:32 +0100 From: "Rogier R. Mulhuijzen" <drwilco@drwilco.nl> To: freebsd-net@FreeBSD.ORG Subject: Re: Do I need to run RouteD/GateD? Message-ID: <4.3.2.7.0.20010216074025.00dbc710@mail.bsdchicks.com>
next in thread | raw e-mail | index | archive | help
At 19:11 15-2-01 -0800, you wrote: >Hello there, > > I am trying to set up a simple net work at home. >Here is my exisiting setup: >1) I have a DSL router which does NAT which everyone >on the LAN connects to. The address for the DSL >router is 1.2.3.1 Bad idea. For internal networks you should use an IP block in the range of 10.0.0.0-10.255.255.255.255, 172.16.0.0-172.31.255.255 or 192.168.0.0-192.168.255.255. You will find a lot of people use 192.168.1.* netmask 255.255.255.0 >2) Everyone on the LAN connects to the router and uses >1.2.3.1 as gateway (net mast 255.255.255.0) >3) I have a FreeBSD box (1.2.3.10), which I have my >mail server, webserver, and other goodies on it, which >everyone is happily connected to. >4) I set up DHCPD already, so everyone is getting >their addresses in the range I specified. > > Now, I want to use my FreeBSD box as a public >wireless base station using Orinoco card (wi0). In >theory, everyone close to me can connect to the >wireless interface. So, here is what I am thinking >about doing: > >1) I have recompiled my BSD box with ipfw on, and ipfw >working, and I have set "gateway_enable=YES" in my >rc.conf >2) I want to take my laptop and connect to my BSD box >wirelessly and get address from the DHCPD, and I want >to be able to access all the resource on my wired LAN. > e.g. the mail server, webserver, or chat with another >person on the wired LAN. >3) I am semi paranoid about all the hackers in my >neighborhood, so, I want to use IPFW on some of the >traffic from my wireless interface. And since IPFW >can ony block base on IP addresses, not ETHERNET >address, this basically forced me to use DHCPD to >assign FIXED ADDRESS to known ETHERNET ADDRESS. (this >makes DHCPD looks like an overkill.) So, now I can >finally use IPFW rules to block evil traffics from the >wireless interface > > So, finally, my question: on the wireless side, >everyone uses the FREEBSD as the gateway, so I can see >the traffic can go from wireless side->FreeBSD->DSL >Router->Internet. But, how about coming back? if the traffic goes through any network > Do I >need to run routed, or gated so that everyone on the >wired LAN knows to use the BSD box as a router? No, gated/routed are daemons that are used for dynamic routing. A rather complicated matter. Most clients will not absolutely not listen to the protocol they use to communicate with other routers. DHCP however can be used for this purpose. > How >does the DSL router know how to send packets back to >the wireless side? You will need to setup a route in the DSL router telling it where to send stuff. But that would be hard to do since right now you have the same IP block on your wired LAN as on your wireless LAN. What you should do is use 2 different IP blocks. Say for instance 10.190.1.* on wired, and 10.190.2.* on wireless. Now DSL router would be 10.190.1.1, FreeBSD machine 10.190.1.10 on wired side. On the wireless side FreeBSD would have 10.190.2.1. All other machines on wireless would need an IP in the same range of course, and use 10.190.2.1 as default gateway. Then you make a new entry in the routing table on the DSL router, telling it to send all packets for 10.190.2.0 netmask 255.255.255.0 (usually written as 10.190.2.0/24 or 10.190.2/24) to 10.190.1.10. And then you're set. (I use 10.* a lot because in my neck of the woods 192.* 193.* and 195.* are pretty common, and 10.* looks sufficiently different, so I can tell internal IPs from external IPs at a glance, YMMV) >Thanks, >Howard > >P.S : Any good security suggestions are welcomed as >well. :) Don't use any cleartext authentication over wireless. Furthermore, you should know that on wired networks, spoofing a MAC (ethernet) address is relatively easy (if you know what you're doing). I'm not up to speed however on the wireless stuff. Maybe they can do some encryption, and use a certain key to protect networks from "intruders". To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.3.2.7.0.20010216074025.00dbc710>