|
|
On Thursday 2005-September-01 06:38, Daniel Banyasz wrote:
> This is all new to me, but it sounds like I can simply assign a
> second IP (on a different subnet) to my internal NIC.
Yes, using iproute2 (/sbin/ip) or just plain ifconfig(8). It's quite
simple. Have your OS bring up the main address as 192.168.4.1, then
this will add the second IP:
ip addr add 192.168.2.1/24 label eth1:wifi dev eth1
> Could I then not just use this second subnet for the wireless AP and
> all its clients?
Yes, anything DHCP'ing through the AP should be given addresses in
192.168.2.0/24, not given a default gateway, and not allowed routing
through the firewall.
> Then I would bridge this second IP address on eth1 to the TAP device
I don't do bridging so I am not sure about this, but IIUC you probably
cannot do this. I think bridging is done on the basis of interface, and
I wouldn't think it could work per virtual interface. But using
ebtables(8) you can probably enforce the separation between the two
virtual interface subnets.
Consider this attack model: someone connects via wireless and assigns
themself an unused IP in the "secure" subnet, 192.168.4.0/24. You need
to recognise that somehow, and refuse to do routing for the intruder.
> IP as I previously described, and those clients that didn't have
> openvpn installed and were just using my wireless after cracking WEP
(You might as well disable WEP anyway.)
> wouldn't be on the bridged network, but on the separate wireless
> subnet, and the firewall would drop all packets???
Right.
> But how do I set up a DHCP server on the eth1 interface to hand out
> IP's from 2 different ranges on two different subnets?
ISC dhcpd(8) has a lot of tricks in its bag. See dhcpd.conf(5) and
dhcp-options(5).
> And how do I know which range and subnet a particular client IP will
I think the simplest approach is to enumerate all your known hosts in
dhcpd.conf host declarations. Known Ethernet and OpenVPN hosts are in
the "secure" subnet, 192.168.4.0/24, and all others get addresses from
a pool in 192.168.2.0/24.
> be. Or should I just forget about this 2 IP's per physical interface
> idea and implement virtual interfaces as originally suggested.
"Virtual interface" was the term I used to describe the idea of two IP
addresses in distinct and separate logical subnets. I am thinking that
it can be made to act like a "virtual interface" but I am not sure.
> ps. I am having trouble replying to the list and having the message
> appear, so apologies if there is a double post.
Sometimes the sourceforge list servers are slow. Also, please keep the
HTML turned off.
--
mail to this address is discarded unless "/dev/rob0"
or "not-spam" is in Subject: header
____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users
Warning: require_once(../../../archive_common.php) [function.require-once]: failed to open stream: No such file or directory in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2005-09/msg00011.html on line 241
Fatal error: require_once() [function.require]: Failed opening required '../../../archive_common.php' (include_path='/usr/local/lib/php') in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2005-09/msg00011.html on line 241
|