From owner-freebsd-net@FreeBSD.ORG  Thu Sep  2 18:30:13 2004
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id A690516A4CE
	for <freebsd-net@freebsd.org>; Thu,  2 Sep 2004 18:30:13 +0000 (GMT)
Received: from smtpout.mac.com (smtpout.mac.com [17.250.248.46])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 7D0D043D60
	for <freebsd-net@freebsd.org>; Thu,  2 Sep 2004 18:30:12 +0000 (GMT)
	(envelope-from cswiger@mac.com)
Received: from mac.com (smtpin02-en2 [10.13.10.147])
	by smtpout.mac.com (8.12.6/MantshX 2.0) with ESMTP id i82IU7Yo007840;
	Thu, 2 Sep 2004 11:30:07 -0700 (PDT)
Received: from [192.168.1.6] (pool-68-160-193-218.ny325.east.verizon.net
	[68.160.193.218])	(authenticated bits=0)i82IU5ki024039;
	Thu, 2 Sep 2004 11:30:06 -0700 (PDT)
In-Reply-To: <413763C1.90208@bronzedragon.net>
References: <413763C1.90208@bronzedragon.net>
Mime-Version: 1.0 (Apple Message framework v619)
Content-Type: text/plain; charset=US-ASCII; format=flowed
Message-Id: <1B4160E2-FD0E-11D8-A54A-003065A20588@mac.com>
Content-Transfer-Encoding: 7bit
From: Charles Swiger <cswiger@mac.com>
Date: Thu, 2 Sep 2004 14:30:03 -0400
To: rip <rip@bronzedragon.net>
X-Mailer: Apple Mail (2.619)
cc: freebsd-net@freebsd.org
Subject: Re: 3 NICs - 1 upstream, 2 downstream  to same subnet??
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Sep 2004 18:30:13 -0000

On Sep 2, 2004, at 2:17 PM, rip wrote:
> I am trying to make a configuration to isolate the WiFi APs on a 
> single segment. DHCP hands out 'good' addresses (10.0.0.x) to MACs it 
> recognizes and 'bad' (10.99.0.x) when the MAC does not match and is 
> taken from the common pool.
> I then will use ipfw to block the trespassers, but do a bit of data 
> collection at the same time. I don't expect much bad traffic here 
> since WEP will keep out the casual. Just a defense-in-depth thing.

What you're trying to do work actually give you much benefit to 
security: someone who wants to break in doesn't have to pay attention 
to the DHCP lease you give them, they can just assign themselves a good 
10.0.0.x address.

The second problem you are having is that you can't have two NIC on the 
same subnet.  The routing table needs interfaces to be unique so it 
doesn't have to guess which route should be used.

-- 
-Chuck