[Fedora] Re: Wireless Access Point
Mikkel L. Ellertson
mikkel at infinity-ltd.com
Mon Sep 24 19:42:33 UTC 2007
Ashley M. Kirchner wrote:
> Craig White wrote:
>> generally the preferred method is to require a VPN to connect the LAN
>> through a wireless system given the security implications of wireless.
>>
> I can't enforce that on all of our clients. Some of them barely know
> how to properly turn off their computers...
>
>> that notwithstanding though, if you use a dhcp server OTHER than the
>> Linksys device, you can assign a useless gateway address to specific
>> clients which in effect would not allow them to get to any network other
>> than the network which they can directly access
> Of course, I didn't think of DHCP. Yes, the Linux server would be
> running DHCP and the WAP would get it's IP from that. I just need to
> figure out how to tell it to have connecting clients fetch an IP from
> the linux server once I turn off it's internal DHCP.
>
With most access points, this is not a problem. They just pass on
the DHCP requests to the rest of the network, and the DHCP server
responds.
> This whole thing is probably more convoluted than it really needs to
> be but the gist of it is, when someone walks in with their laptop, we
> want them to be able to connect to the WAP and only able to see one
> single network drive (which is on the same Linux server) so they can
> drop files for us. The server itself is also connected to our internal
> network so our internal machines can get to it as well, however the WAP
> can't go "through" the server and see our internal network.
>
> However, if one of our employees were to bring in their laptop, they
> can connect to the same WAP and would be able to see everything
> "through" that server and access everything on the network (and
> internet.) So there's some configuration that I need to figure out on
> the linux server to start with. On the one hand, if an unknown client
> connects, issue a dummy IP that won't have any network routing, but that
> would still allow a local drive to be "seen" on that dummy network, and
> if a known client connects, issue a valid (internal) IP so they can
> work. Hrm. I wonder if the server itself also need to have a dummy IP
> so it can communicate with whatever dummy IP gets issued...
>
It is not hard to have 2 IP addresses on one NIC. It is also fairly
easy to set up the DHPC server with 2 pools of addresses. One pool
for costumers, and one for employees. You can use the MAC address to
assign IP addresses for company and employee machines that you know
about. The hard part is from people spoofing MAC addresses, or using
their own address.
For limiting Internet access, you could set up a proxy server. It is
limiting access to the rest of the network is hard. Someone that
knows what they are doing can ignore the settings from the DHCP server.
What you may want to do is to have 2 NICs on the server, and the
access point connected to one of them. That way, all wireless
connections have to go through the server, and its firewall rules.
You can then have a program on the server that will change the IP
tables rules to let a specific machine to access the rest of the
network. But having employees set up a VPN connection would be a lot
more secure.
Mikkel
--
Do not meddle in the affairs of dragons,
for thou art crunchy and taste good with Ketchup!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20070924/7c2d037b/attachment-0001.sig>
More information about the fedora-list
mailing list