Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 23 Apr 2013 08:21:54 +0100
From:      Arthur Chance <freebsd@qeng-ho.org>
To:        freebsd-questions@freebsd.org
Cc:        aimass@yabarana.com
Subject:   Re: Home WiFi Router with pfSense or m0n0wall?
Message-ID:  <51763692.8010805@qeng-ho.org>
In-Reply-To: <kl47p4$f23$1@ger.gmane.org>
References:  <CAHieY7S9b9F1jndpkR2Drw=GCoBxmEWRs6Ot8MRjjQFH=xmHQQ@mail.gmail.com> <kl0qu9$ovo$1@ger.gmane.org> <CAHieY7SSbO+wt68PeFLYDzAtqMnR0kJ3UakOjvLkSMzVA31LbA@mail.gmail.com> <kl3vao$hbt$1@ger.gmane.org> <CAHieY7QNqfvwyB4_ZM-df72qTnY06vi7sk1gcvpSAfcwAifC8A@mail.gmail.com> <kl441k$6sg$1@ger.gmane.org> <CAHieY7ROZtpcmapzgrDb=EANaZZJkLjmZjf-3WuV-SrULdUG0Q@mail.gmail.com> <kl47p4$f23$1@ger.gmane.org>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On 04/22/13 21:49, Michael Powell wrote:
> Alejandro Imass wrote:
>
>> On Mon, Apr 22, 2013 at 3:45 PM, Michael Powell <nightrecon@hotmail.com>
>> wrote:
>>> Alejandro Imass wrote:
>>>
>>>> [...]
>>>>
>>>>> Really these WEP/WPA2 protocols are not providing the level of
>>>>> protection that is truly necessary in this modern day. You can keep out
>>>>> script kiddies and people who don't have skill, but people who know
>>>>> what they are doing are only slowed down.
>>>>>
>>>>
>>>> Thanks for the detailed explanation! So, are there ways to run a
>>>> secure WiFi network? It would seem that in my case I have neighbours
>>>> that know what they're doing so should I just forget about WiFi go
>>>> back to UTP?
>>>>
>>>
>>> We use 802.1x auth on our switch (and other hardwares) ports at work and
>>> this utilizes a Radius server. At work we are mostly a $MS WinderZ shop,
>>> but with Enterprise grade access points (we have Aruba's), EAP, and
>>> Radius we
>> [...]
>>>
>>> This email is already getting a trifle long, so suffice to say if you
>>> really need the best security on a home ISP router the best you can do is
>>> turn off the radio and use Ethernet and UTP. This returns to the original
>>> focus of your question in that the firewall would be the point of
>>> contention and not the cracking of WEP/WPA2 auth keys. What I was wanting
>>> to point out to you originally is that changing the firewall is a
>>> separate issue from the cracking of Wifi auth keys.
>>>
>>
>> I absolutely got that but I was assuming that a pre-packaged WiFi
>> router with pfSense or m0n0wall would have a more secure wireless
>> hardware and software as well. Now I see the problem is more complex
>> and that the wireless part is vulnerable regardless. So if by cracking
>> the wireless part they can spoof the mac addresses of authorized
>> equipment, what other methods could a BSD-based firewall use to
>> prevent the cracker from penetrating or using the network beyond the
>> WiFi layer? From your response it seems very little or nothing
>> really...
>>
> Yes - unfortunately this is about the state of things. Not a whole lot
> you're going to do to improve the consumer grade home router. There are some
> hardware specific firmware projects that I've never played with such as:
>
> http://www.dd-wrt.com/site/index
>
> The pre-packaged home equipment is relatively cheap when compared against
> the top of the line enterprise-grade commercial products. Most are some form
> of embedded Linux. For example, the MI424WR-Rev3 I have here is busybox (
> http://www.busybox.net/ ). If you turn on remote management and telnet into
> it you get a busybox prompt! With a busybox shell and all busybox commands.
> The firewall many of these embedded Linux things are using is iptables2, the
> standard linux firewall package.
>
> What I was pondering is some form of L2TP tunnel, or some other form of
> IPSEC tunnel to form some kind of VPN like communication between the client
> and the wifi. Just never have begun to find the time to get anywhere with
> the idea. But basically it would resemble a VPN that only accepts connection
> from a tunnel endpoint client and not pass any traffic from any other client
> lacking this VPN-like endpoint. I think such a thing is very possible and
> have read some articles by people who have done very similar sounding
> things. Indeed, this is what SSL-VPN providers do via a subscription service
> so people surfing at open wifi coffee shops tunnel through the local open
> wifi and setup an encrypted VPN tunnel.

A quick note: pfSense (I don't know about m0n0wall) has OpenVPN built in 
to it. Depending on whether all devices which are going to connect 
wirelessly can run the client end of OpenVPN, this might be a quick way 
to get greater security on the WiFi side.

> Just not enough time in the day. I know it's do-able, just never have found
> the time to properly approach it.



-- 
In the dungeons of Mordor, Sauron bred Orcs with LOLcats to create a
new race of servants. Called Uruk-Oh-Hai in the Black Speech, they
were cruel and delighted in torturing spelling and grammar.

		_Lord of the Rings 2.0, the Web Edition_



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?51763692.8010805>