Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 03 Sep 2004 06:54:04 -0400
From:      RRrp Toren <rtoren@bronzedragon.net>
To:        Charles Swiger <cswiger@mac.com>
Cc:        freebsd-net@freebsd.org
Subject:   Re: 3 NICs - 1 upstream, 2 downstream  to same subnet??
Message-ID:  <41384D4C.9030209@bronzedragon.net>
In-Reply-To: <1B4160E2-FD0E-11D8-A54A-003065A20588@mac.com>
References:  <413763C1.90208@bronzedragon.net> <1B4160E2-FD0E-11D8-A54A-003065A20588@mac.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
Charles Swiger wrote:
> On Sep 2, 2004, at 2:17 PM, rip wrote:
> 
>> I am trying to make a configuration to isolate the WiFi APs on a 
>> single segment. DHCP hands out 'good' addresses (10.0.0.x) to MACs it 
>> recognizes and 'bad' (10.99.0.x) when the MAC does not match and is 
>> taken from the common pool.
>> I then will use ipfw to block the trespassers, but do a bit of data 
>> collection at the same time. I don't expect much bad traffic here 
>> since WEP will keep out the casual. Just a defense-in-depth thing.
> 
> 
> What you're trying to do work actually give you much benefit to 
> security: someone who wants to break in doesn't have to pay attention to 
> the DHCP lease you give them, they can just assign themselves a good 
> 10.0.0.x address.
    I am not a believer in the idea that the only good solution is the 100% 
solution. I like the multi-layering of 80% solutions.
    The IP addresses here were picked for demonstration purposes. The actuals 
set can come from anywhere within the RFC 1918 network numbers. So picking a 
good IP the 1st time, in the blind, is like shooting a bullseye on the first 
shot in a pitchblack range you just stepped into. Then there are other layers 
that have to be bypassed. Sort of like Indiana Jones. There are many 
challenges to overcome, with only one attempt each. I am just asking about the 
technical feasability.
> 
> The second problem you are having is that you can't have two NIC on the 
> same subnet.  The routing table needs interfaces to be unique so it 
> doesn't have to guess which route should be used.
> 
    If this is a FreeBSD implementation restriction, then so be it. I have 
always thought routers could service a large subnet with multiple interfaces. 
And that FreeBSD could be configured as a router.

Thanks for the info

Rip

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?41384D4C.9030209>