[sclug] Wireless Routers & Linux Firewalls

[Ian Park]

Phillip Chandler wrote:

> Date: Sat, 15 Mar 2008 21:00:55 +0000
> From: Phillip Chandler <phillip.chandler at ntlworld.com>
> Subject: [sclug] Wireless Routers & Linux Firewalls
> To: sclug at sclug.org.uk
> Message-ID: <1205614855.10633.29.camel at TrailerTrash>
> Content-Type: text/plain
> 
> Changing the subject to something new.
> 
> I have a p3 setup as a firewall with Clarkconnect 4.2 with an 8 port hub
> for the machines on the network. Im with Virgin, well NTL really but now
> Virgin.
> 
> What Im interested in doing is adding a wireless in the place of the
> hub. And Im trying to get my head around setting up the IP addresses. I
> wanted to run my thinking past you chaps to see if I have a basic
> understanding of what I need to do.
> 
> The firewall to modem Eth0 is set to dynamic, and is given the IP
> address wen the modem connects.
> 
> The firewall has a static ip address of 192.168.0.1
> 
> A range of address from 192.168.0.2 to 192.168.0.254 is defined so that
> the machines on the lan can pick their IP address.
> 
> If I was to connect the wireless router (or any router) it would have a
> default IP address of 192.168.0.1 (?????)
> 
> So would I have to do the following ?
> 
> Connect up the wireless to the modem,
> Log in to the wireless and change the IP address to 192.168.0.2
> Power down everything, reconnect the modem to the firewall,
> Connect the wireless router in place of the hub,
> Log on to the firewall using the pre defined IP 192.168.0.1 and
> change the range of addresses by adding 1 to the start, so they would
> then be 192.168.0.3 to 192.168.0.254.
> 
> Your probably asking why I want the router to be on the Green eth1 side
> of the firewall. Its a habit of security that I have. My partner is
> confident enough on her PC using Win XP, so I want her behind the linux
> firewall for added security. I tend to work via wired when Im home. But
> Id like the option of having wireless if needed.
> 
> And if possible Id disable the wireless part,only switching it on when I
> want to go work out in the garden, on one of those lovely hot sunny days
> I know we're going to get soon.
> 
--
Hi all

Phillip's setup looks *very* similar to mine; the only variation is that 
I'm using Smoothwall in my PIII box... The way I've got mine set up (and 
it works nicely) is:

The Smoothwall box (static address 192.168.17.7 - don't ask why...) 
works as a DHCP server, to allocate addresses to everything else on my 
network. I've also set it to allocate fixed addresses to every host 
(including the wireless access point, which is a separate unit from the 
network hub, and my networked laser printer) whose MAC address it 
recognises - don't know whether Clarkconnect offers the same 
possibility, but it doesn't really matter a great deal.

Smoothwall can also act as a proxy DNS server, so it can resolve the 
names of local hosts to private IP addresses on my network. To 
administer the wireless access (host name wap), I point the browser on a 
workstation at http://wap - unfortunately the web server on the WAP is a 
nasty one which will work properly only with IE :( - and set up the WAP 
as I need it; you should be able to do similarly with a combined router 
& wireless access. You'll need to switch off the DHCP server in the 
WAP/router, to allow the Clarkconnect box to allocate IP addresses to 
hosts which work through the WAP.

This setup will put the allocation of addresses to all your hosts, wired 
or wireless, in the same place; it's a matter of personal preference 
whether you nail up the addresses in the DHCP server table or allow them 
to be truly dynamic. Whet you *will* need to do is set the address range 
for dynamic addresses in the DHCP server so there's no clash with the 
fixed allocation. As far as the hosts on your network are concerned, 
they use DHCP - only the DHCP *server* knows about the nailed up nature 
of (some) addresses.

If you have a separate WAP (as I do) then it's very easy to switch off 
the wireless when you don't need it. A further refinement which I use is 
to set MAC address filtering on the WAP, so that it doesn't let every 
Tom, Dick & Harry grab your wireless bandwidth; only someone who's 
determined enough to find out what MAC addresses are allowed and spoof 
one of those addresses (and work around the encryption) can get in.

Hope this helps

Ian
-- 
Ian Park
17 Pyle Hill
Newbury
Berkshire
RG14 7JJ
Tel: +44 (0)1635 821420
GSM: +44 (0)7785 300290
email: ian at chalmers-park.name
--