Two remote LANs sharing internet thru wireless connection

I'd like to share JUST my internet connection with some remote PCs.
Any solution would have to give me some confidence that these new PCs
were somewhat isolated from my own LAN. I can share files on my LAN,
they can share files on their LAN, but no sharing between LANs. Slower
surfing is an acceptable outcome, just no extra security holes please.
I'd like a solution that does not depend on leaving a PC running (ICS),
multi-homed, SW firewalls, etc.

What I have:
LAN1 is 3 PCs wired into a BEFW11S4 gateway configured router.
A cable modem on the uplink provides the www.
Occasionally I use a wireless laptop here as well, but most of the time
I have the wireless disabled out of paranoia. I do use WEP.

LAN2 is a couple of PCs located 1/2 mile away suffering on dial-up (no
cable available). These 2 PCs are not networked together yet. A wireless
LAN at this location probably makes the most sense to avoid drilling holes.

I can stand on the roof of either house with binoculars and almost see
just where I would mount the antenna on the other house. There is very
large (pepper, willow?) tree that blocks LOS. It has lots of small
leaves all year, but not so dense I can't partially see through it.
There are also a few palm trees to either side of LOS.

I am thinking that a cantenna or dish pair might provide the link, with
the antennas mounted up on each roof. I'll probably build or buy one
cantenna so I can do a survey at each location first.

I considered getting a second BEFW11S4 for LAN2, thinking it could talk
wirelessly to the first one, but I have been told they won't do that. I
don't see anything in the settings about putting the router in AP client
mode, so maybe that is true. Tech support never seems very confident
about their answers on this stuff though.

Next I looked at the WET11 for LAN2. I believe I would still need
something like a WAP11 or router too. The antenna location is not going
to be very close to the PCs so its either 50ft of LMR400 on the antenna
or the WET + WAP plus some CAT5.

Security questions:
I have read where the directional antenna makes it harder for local
eavesdropping. Are there any antennas or methods to eliminate everything
but the very narrow aperature? Most of the ones I have seen have pretty
wide radiation patterns.

A previous post metioned a wireless client isolation feature of the
WRT54G. This could be what I want, but maybe the BEFW11S4 can provide
something similar. I see some filtering functions in the router. I see
how I can filter (prevent) a particular IP from reaching the WAN, and I
see how the DMZ function places an IP 'outside' on the WAN.
Can the DMZ function be used to isolate one IP from others?
Can the static routing function be used for this?
Does disabling DHCP on each LAN and using static IPs increase security?
I saw mention of SSH over WEP. I suppose I would need to leave a PC
running as a gateway to make this happen.

Thanks

On Mon, 02 May 2005 14:39:23 -0700, tns1 <(E-Mail Removed)> wrote:

Sigh. So many questions...

>Any solution would have to give me some confidence that these new PCs
>were somewhat isolated from my own LAN.

That's not easy, but possible. The WRT54G stock Linksys firmware has
a misnamed feature called "access point isolation" which is really
client isolation. It prevents bridging between wireless clients. I
think (not sure) that it also prevents bridging between wireless
clients and the remote LAN when used in WDS mode. I haven't tested
this so treat this a potentially bad guess.

>I can share files on my LAN,
>they can share files on their LAN, but no sharing between LANs.

Well, password protected shares would work as well.

>Slower
>surfing is an acceptable outcome, just no extra security holes please.

Speed and security are not interdependent.

>I'd like a solution that does not depend on leaving a PC running (ICS),
>multi-homed, SW firewalls, etc.

Well, duz your ISP support more than one IP address per DSL or cable
modem connection? Most of the local DSL resellers do that, but not
the local cable company (Comcast). If you could get a 2nd routable IP
address, then all that would be needed is an arrangement like this:
http://www.LearnByDestroying.com/crud/5IP.txt

dsl ===[ Alcatel 1000 ]==[ 8 port ]==[router]==192.168.1.xxx
line [DSL bridge/modem] [ ethernet]
[ hub ]==[router]==192.168.2.xxx
[ ]
[ ]==[router]==192.168.3.xxx
[ ]
[ ]==[router]==192.168.4.xxx
[ ]
[ ]==[router]==192.168.5.xxx

The above is for a 5 IP address system. One of the routers is your
BEFW11S4 router and services your local LAN.

One of the other routers can be almost any type of wireless access
point (not a router). The other end the link goes to wireless
ethernet client radio, such as a WRT54G in client mode, WAP54G,
DWL900AP+, WAP11, etc. It only needs to route 1 IP address so you do
NOT need a transparent bridge. At the remote end is also a wired or
wireless router. That will take care of remote machines.

Because the two LAN's are on separate WAN IP addresses and separate
routers, nothing moves between them.

This can also be done with one less box using WDS. However, you will
need TWO compatible wireless routers capable of doing WDS. WRT54G is
a good choice.

>What I have:
>LAN1 is 3 PCs wired into a BEFW11S4 gateway configured router.
>A cable modem on the uplink provides the www.
>Occasionally I use a wireless laptop here as well, but most of the time
>I have the wireless disabled out of paranoia. I do use WEP.
>
>LAN2 is a couple of PCs located 1/2 mile away suffering on dial-up (no
>cable available). These 2 PCs are not networked together yet. A wireless
>LAN at this location probably makes the most sense to avoid drilling holes.

Going wireless to wireless through a router will cause a 50% reduction
in potential thruput. However, this may not be detrimental. If you
get a good line of sight, strong signal, etc, half of whatever you are
able to do on the link will still be faster than whatever your cable
modem can deliver. (Notice how I left out all the numbers).

>I can stand on the roof of either house with binoculars and almost see
>just where I would mount the antenna on the other house. There is very
>large (pepper, willow?) tree that blocks LOS. It has lots of small
>leaves all year, but not so dense I can't partially see through it.
>There are also a few palm trees to either side of LOS.

Any way to mount an antenna so that you go around the tree? It's
difficult to judge how much a tree will interfere. My calculated
guesswork is often off by several orders of magnitude. However, if
you can see through the tree, you have a chance. That's a chance, not
a guarantee. The problem will be that trees move. What works one
day, may not work the next, or when it gets windy or rainy. Also, you
can often get line of sight by going under the bottom branches of a
tree. The lower branches are usually easy to trim.

>I am thinking that a cantenna or dish pair might provide the link, with
>the antennas mounted up on each roof. I'll probably build or buy one
>cantenna so I can do a survey at each location first.

I'm not a big fan of coffee can antennas, but they do work. Try it,
but if possible, borrow a commercial dish or panel antenna.

>I considered getting a second BEFW11S4 for LAN2, thinking it could talk
>wirelessly to the first one, but I have been told they won't do that.

That won't work. The BEFW11S4 does not support WDS, transparent
bridging, or any form of point to point link.

>I don't see anything in the settings about putting the router in AP client
>mode, so maybe that is true.

There's no setting. However, access point mode is easy. All you need
to do is:
1. Ignore the WAN port.
2. Connect whatever to the LAN port.
3. Set the IP address so that it does NOT duplicate other routers on
the LAN, but is in the same Class C IP address block.
4. Disable the DHCP server.
That's it. Now you have an access point instead of a wireless router.

>Tech support never seems very confident
>about their answers on this stuff though.

There are about 3 standard configurations, used in 99.9% of all WLAN's
that support knows about. There are about 30 configurations that
support has never seen that cover the remaining 0.1%. Yours is in the
0.1% group.

>Next I looked at the WET11 for LAN2. I believe I would still need
>something like a WAP11 or router too. The antenna location is not going
>to be very close to the PCs so its either 50ft of LMR400 on the antenna
>or the WET + WAP plus some CAT5.

50ft of LMR400 is possibly too much. That's about 3.4dB of coax loss
plus about 1dB of connector loss. Half your power and sensitivity is
lost in the coax. You can make it up with a bigger antenna, but
there's a limit to how big is practical. 3dB is double the (aperture)
size of the antenna.

>Security questions:
>I have read where the directional antenna makes it harder for local
>eavesdropping.

True. You have to be in the beam path to do anything disgusting. If
the beam is 30ft off the ground, it's kinda hard to do. However, even
the best antennas are rather wide and have side lobes. For example, a
24dBi dish antenna is about 6 degrees wide at -3dB beamwidth. At 1/2
mile, that's a 330ft wide beam. You don't have to move back too far
to hear that.

The real advantage of highly direction antennas are in improved S/N
ratio which shows up as a speed increase. That can be due to a
stronger signal, but also due to less interference from co-channel
stations off to the side of the beam.

>Are there any antennas or methods to eliminate everything
>but the very narrow aperature? Most of the ones I have seen have pretty
>wide radiation patterns.

Not easily for 2.4Ghz. As you go up in frequency, the beam width gets
narrower. You can probably go optical with FSO (free space optics)
and get a very narrow beam.

>A previous post metioned a wireless client isolation feature of the
>WRT54G. This could be what I want, but maybe the BEFW11S4 can provide
>something similar.

I have a BEFW11S4v4. It doesn't have client isolation or WDS.

>I see some filtering functions in the router. I see
>how I can filter (prevent) a particular IP from reaching the WAN, and I
>see how the DMZ function places an IP 'outside' on the WAN.
>Can the DMZ function be used to isolate one IP from others?

The DMZ is not useful for this. It simply redirects *ALL* IP ports to
a specific LAN IP address, so you can totally expose a client computer
to all the hackers and attackers on the WAN side.

>Can the static routing function be used for this?

I'm convinced that the static routing in the BEFW11S4v4 is broken.
I've tried to use it to assign a static route on the WAN side to my
DSL modem. It didn't work. It generated quite a threat in
DSLReports.com Linksys forum, which provide some suitable
alternatives, but the bug is still there today.

>Does disabling DHCP on each LAN and using static IPs increase security?

No. Hackers can sniff the traffic, extract the currently used IP
address, and simply assign their own. No benefit at all.

>I saw mention of SSH over WEP. I suppose I would need to leave a PC
>running as a gateway to make this happen.

Sorry, no clue. I use SSH2 all the time for admin, but not for a
continuously connected tunnel. For that, I use IPSec VPN's. I have
no idea what SSH over WEP means.


--
Jeff Liebermann (E-Mail Removed)
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 AE6KS 831-336-2558

Jeff Liebermann wrote:
> On Mon, 02 May 2005 14:39:23 -0700, tns1 <(E-Mail Removed)> wrote:
>
> Sigh. So many questions...
>
And lots of good help on answering them, thanks.

>>Any solution would have to give me some confidence that these new PCs
>>were somewhat isolated from my own LAN.
>
> That's not easy, but possible. The WRT54G stock Linksys firmware has
> a misnamed feature called "access point isolation" which is really
> client isolation. It prevents bridging between wireless clients. I
> think (not sure) that it also prevents bridging between wireless
> clients and the remote LAN when used in WDS mode. I haven't tested
> this so treat this a potentially bad guess.
>
I am looking at the manual and I don't see this.

>>I can share files on my LAN,
>>they can share files on their LAN, but no sharing between LANs.
>
> Well, password protected shares would work as well.
>
I forgot about that. Ideally the security would not depend on PC SW,
particularly windows. I'll certainly use what's there such as SW firewalls.

>>I'd like a solution that does not depend on leaving a PC running (ICS),
>>multi-homed, SW firewalls, etc.
>
> Well, duz your ISP support more than one IP address per DSL or cable
> modem connection? Most of the local DSL resellers do that, but not
> the local cable company (Comcast). If you could get a 2nd routable IP
> address, then all that would be needed is an arrangement like this:
> http://www.LearnByDestroying.com/crud/5IP.txt
>
> dsl ===[ Alcatel 1000 ]==[ 8 port ]==[router]==192.168.1.xxx
> line [DSL bridge/modem] [ ethernet]
> [ hub ]==[router]==192.168.2.xxx
> [ ]
> [ ]==[router]==192.168.3.xxx
> [ ]
> [ ]==[router]==192.168.4.xxx
> [ ]
> [ ]==[router]==192.168.5.xxx
>
> The above is for a 5 IP address system. One of the routers is your
> BEFW11S4 router and services your local LAN.
>
I like it. With cox cable, extra IPs are $7 ea. I forgot to ask them if
this buys me any more BW or higher limits. At at a measured 4Mb
download, I believe there is not much more peak BW to be had (they do
offer 5Mb on individual accounts for $15 extra), but I am probably not
fully utilizing mine anyway. If I can get a reliable link set up, this
seems like the way to go. Wouldn't a switch be better than a hub here?

> One of the other routers can be almost any type of wireless access
> point (not a router). The other end the link goes to wireless
> ethernet client radio, such as a WRT54G in client mode, WAP54G,
> DWL900AP+, WAP11, etc. It only needs to route 1 IP address so you do
> NOT need a transparent bridge. At the remote end is also a wired or
> wireless router. That will take care of remote machines.
>
> Because the two LAN's are on separate WAN IP addresses and separate
> routers, nothing moves between them.
>
perfect.

> This can also be done with one less box using WDS. However, you will
> need TWO compatible wireless routers capable of doing WDS. WRT54G is
> a good choice.

I see they have a 'GX model now.
>
>>What I have:
>>LAN1 is 3 PCs wired into a BEFW11S4 gateway configured router.
>>A cable modem on the uplink provides the www.
>>Occasionally I use a wireless laptop here as well, but most of the time
>>I have the wireless disabled out of paranoia. I do use WEP.
>>
>>LAN2 is a couple of PCs located 1/2 mile away suffering on dial-up (no
>>cable available). These 2 PCs are not networked together yet. A wireless
>>LAN at this location probably makes the most sense to avoid drilling holes.
>
> Going wireless to wireless through a router will cause a 50% reduction
> in potential thruput. However, this may not be detrimental. If you
> get a good line of sight, strong signal, etc, half of whatever you are
> able to do on the link will still be faster than whatever your cable
> modem can deliver. (Notice how I left out all the numbers).
>
>>I can stand on the roof of either house with binoculars and almost see
>>just where I would mount the antenna on the other house. There is very
>>large (pepper, willow?) tree that blocks LOS. It has lots of small
>>leaves all year, but not so dense I can't partially see through it.
>>There are also a few palm trees to either side of LOS.
>
> Any way to mount an antenna so that you go around the tree?

Only with an ugly 'pissofftheneigbors' brand 30ft mast, or mounting a
passive repeater on a 60ft palm tree (scary, if not impossible to keep
aligned).

>It's
> difficult to judge how much a tree will interfere. My calculated
> guesswork is often off by several orders of magnitude. However, if
> you can see through the tree, you have a chance. That's a chance, not
> a guarantee. The problem will be that trees move. What works one
> day, may not work the next, or when it gets windy or rainy. Also, you
> can often get line of sight by going under the bottom branches of a
> tree. The lower branches are usually easy to trim.
>
>>I am thinking that a cantenna or dish pair might provide the link, with
>>the antennas mounted up on each roof. I'll probably build or buy one
>>cantenna so I can do a survey at each location first.
>
> I'm not a big fan of coffee can antennas, but they do work. Try it,
> but if possible, borrow a commercial dish or panel antenna.

>>I considered getting a second BEFW11S4 for LAN2, thinking it could talk
>>wirelessly to the first one, but I have been told they won't do that.

> That won't work. The BEFW11S4 does not support WDS, transparent
> bridging, or any form of point to point link.
>
>>I don't see anything in the settings about putting the router in AP client
>>mode, so maybe that is true.
>
> There's no setting. However, access point mode is easy. All you need
> to do is:
> 1. Ignore the WAN port.
> 2. Connect whatever to the LAN port.
> 3. Set the IP address so that it does NOT duplicate other routers on
> the LAN, but is in the same Class C IP address block.
> 4. Disable the DHCP server.
> That's it. Now you have an access point instead of a wireless router.
>
Yes, but the two routers are cabled together. Very useful for extending
a LAN in one building.

>
>>Next I looked at the WET11 for LAN2. I believe I would still need
>>something like a WAP11 or router too. The antenna location is not going
>>to be very close to the PCs so its either 50ft of LMR400 on the antenna
>>or the WET + WAP plus some CAT5.
>
> 50ft of LMR400 is possibly too much. That's about 3.4dB of coax loss
> plus about 1dB of connector loss. Half your power and sensitivity is
> lost in the coax. You can make it up with a bigger antenna, but
> there's a limit to how big is practical. 3dB is double the (aperture)
> size of the antenna.
>
>
>>Security questions:
>>I have read where the directional antenna makes it harder for local
>>eavesdropping.
>
>
> True. You have to be in the beam path to do anything disgusting. If
> the beam is 30ft off the ground, it's kinda hard to do. However, even
> the best antennas are rather wide and have side lobes. For example, a
> 24dBi dish antenna is about 6 degrees wide at -3dB beamwidth. At 1/2
> mile, that's a 330ft wide beam. You don't have to move back too far
> to hear that.
>
> The real advantage of highly direction antennas are in improved S/N
> ratio which shows up as a speed increase. That can be due to a
> stronger signal, but also due to less interference from co-channel
> stations off to the side of the beam.
>
>
>>Are there any antennas or methods to eliminate everything
>>but the very narrow aperature? Most of the ones I have seen have pretty
>>wide radiation patterns.
>
>
> Not easily for 2.4Ghz. As you go up in frequency, the beam width gets
> narrower. You can probably go optical with FSO (free space optics)
> and get a very narrow beam.
>
My initial reading on laser links suggested 1/2 mile was too much, but I
keep reading about some bozo with a $30 laser pointer who lit up the
cockpit of 747 from more than a mile away. This info does not match up.

>
>>Can the static routing function be used for this?
>
> I'm convinced that the static routing in the BEFW11S4v4 is broken.
> I've tried to use it to assign a static route on the WAN side to my
> DSL modem. It didn't work. It generated quite a threat in
> DSLReports.com Linksys forum, which provide some suitable
> alternatives, but the bug is still there today.
>
Does static routing work on the '54G? Can you achieve client isolation
with this?

>>Does disabling DHCP on each LAN and using static IPs increase security?
>
> No. Hackers can sniff the traffic, extract the currently used IP
> address, and simply assign their own. No benefit at all.
>
I also see that with the latest firmware (BEFW11Sv0), I get MAC address
filtering for wireless clients. It is not clear if I get to restrict and
allow as described in the WRT54G manual, or if I just get restrict mode.
Since MAC address spoofing is so easy, is MAC filtering of no benefit as
well?

How is the WPA on the '54G? As implemented, is it really more secure
than WEP, and does it slow things down at all?

thanks again.

On Tue, 03 May 2005 09:26:47 -0700, tns1 <(E-Mail Removed)> wrote:

>> That's not easy, but possible. The WRT54G stock Linksys firmware has
>> a misnamed feature called "access point isolation" which is really
>> client isolation.

>I am looking at the manual and I don't see this.

Look in the web based setup on the bottom of the Wireless -> Advanced
settings. It's called "AP Isolation".

Incidentally, don't read the manual. It will make your brain explode.

>I forgot about that. Ideally the security would not depend on PC SW,
>particularly windows. I'll certainly use what's there such as SW firewalls.

It depends on from whom you're trying to secure you files. If it's a
co-operative venture, such as a neighborhood WLAN, where you know
everyone involved, methinks passwords are sufficient. That's how I
have our neighborhood LAN setup. For W98/ME everyone can see everyone
elses shares, but they're not useable without a password. For XP,
W2K, and Linux (Samba), I have user level security set which requires
a login and password to view shares. No problems for about the last
year.

>I like it. With cox cable, extra IPs are $7 ea.

Nice. SBC DSL costs about $20/month for 1500/256 Kbits/sec with one
dynamic IP address. However, if you want static, you have to take 5
IP addresses, which they treat as commerical, and raise the price to
about $65/month. Ask if that's static or dynamic. It doesn't really
matter for what you're doing, but it would be good to know.

>If I can get a reliable link set up, this
>seems like the way to go. Wouldn't a switch be better than a hub here?

Yes. Use a switch. The drawing was for my office setup. I
intentionally use a hub because I have a dedicated traffic monitor and
SNMP logger running on the hub. If it were a switch, I wouldn't see
any of the traffic to the other routers.

>Only with an ugly 'pissofftheneigbors' brand 30ft mast, or mounting a
>passive repeater on a 60ft palm tree (scary, if not impossible to keep
>aligned).

I have a 30ft mast on my roof. However, it's now only 20ft high
thanks to my latest failed experiments. Think of it this way... It's
cheaper and less ugly than a Rhon tower.

Passive radiators do NOT work. Same with periscope antennas. I can
work the numbers for you if you would like. I've designed, built, and
deployed them and strongly suggest you avoid considering them as
useful for 2.4GHz.

>My initial reading on laser links suggested 1/2 mile was too much, but I
>keep reading about some bozo with a $30 laser pointer who lit up the
>cockpit of 747 from more than a mile away. This info does not match up.

Most FSO stuff that's affordable and user buildable uses LED's, not
lasers. OSHA safety requirements prevent the use of concentrated
beams. So, they spread the laser light over perhaps a 1ft dia circle
and then reconcentrate it at the destination. This passes OSHA specs
and also prevents many types of interference.

The new green lasers are not that much brighter than infra-red when
measured with an optical pyrometer. However, your eye is much more
sensitive to the green light. Therefore, green lasers go much
farthur.
http://www.thinkgeek.com/gadgets/lights/5a47/
http://www.thinkgeek.com/gadgets/lights/5a47/images/
http://www.thinkgeek.com/gadgets/lights/5a47/action/

>Does static routing work on the '54G?

I don't know. I haven't tried it yet. I will (eventually).

>Can you achieve client isolation
>with this?

No. There's no connection. Routing is done on layer 3. Client
isolation is done with bridging on layer 2. You can isolate clients
with creative and complex routing and ACL's, but it's much easier with
bridging. Static routes are mainly for connecting remote office IP
blocks on the LAN side.

>I also see that with the latest firmware (BEFW11Sv0), I get MAC address
>filtering for wireless clients. It is not clear if I get to restrict and
>allow as described in the WRT54G manual, or if I just get restrict mode.
>Since MAC address spoofing is so easy, is MAC filtering of no benefit as
>well?

V0 ?? What's that? MAC address filtering is used to allow or prevent
wireless connections. That will prevent an unauthorized user from
connecting, but will not offer any restrictions or filters for an
authorized client.

>How is the WPA on the '54G? As implemented, is it really more secure
>than WEP, and does it slow things down at all?

I hate to admit it, but I'm rather behind on the encryption thing.
Many of my clients have ancient wireless cards or drivers that do not
support WPA. Therefore, they tend to run WEP128. I run WEP64 in my
palatial office because I have a pile of Orinoco Silver cards that
only do 64 bit encryption.

The few times I've tested encryption performance on a WRT54G, I found
that any form of encryption slows things down about 10-15% (forgot
exact number) and that there was no repeatable difference in
performance between WEP and WPA. Please realize that WPA is exactly
the same RC4 cypher payload as WEP. The only difference is a more
secure key exchange protocol, which occupies very few packets or air
time and should not impact peformance.


--
Jeff Liebermann (E-Mail Removed)
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 AE6KS 831-336-2558

Jeff Liebermann <(E-Mail Removed)> wrote:
>On Tue, 03 May 2005 09:26:47 -0700, tns1 <(E-Mail Removed)> wrote:
>
>>Does static routing work on the '54G?
>
>I don't know. I haven't tried it yet. I will (eventually).

Yep, it works. However, I use third party firmware (Satori,
from Sveasoft) and do not configure routing with the web
interface. When I tried the web interface I found it extremely
frustrating, plus there is the habit of various of web
options to clean out the route tables and reset them, so I try
to avoid the web interface entirely.

Command line configuration, however, has it's own set of
problems, particularly in trying to figure out how to manually
set any particular option available via the web interface, and
how to make the configuration survive a reboot.

The WRT54G(S) routers are very flexible, but taking advantage
of it is not trivial.

>>Can you achieve client isolation
>>with this?
>
>No. There's no connection. Routing is done on layer 3. Client

Actually, depending on what you mean by "isolation", it can be
done. For protocols that are not routed, it can't be done. So,
for example Jeff had some folks using netbui or something, and
apparently there was no way to affect that with routing.

However, for IP, you can isolate ranges of addresses. You just
route them off to somewhere else! That works because of the
hardware arrangement used by the WRT54G(S). Essentially the WAN
port is distinct from everything else. The LAN ports and the
Wireless are all connected to a bridge device and a vlan device.
The trick to simple isolation is, for IP addresses you want to
isolate, setting the route to the WAN port and use a LAN port to
actually connect to the unit.

Note that the bridge and vlan are command line configurable with
the third party firmware. I haven't figured out just exactly
what the "AP Isolation" option does though, and have no pressing
need to experiment with it, but it is clear that each LAN port
on the WRT54G(S) can be isolated individually, and can be either
routed or bridged to the others. As noted above, this is not
trivial... :-)

>isolation is done with bridging on layer 2. You can isolate clients
>with creative and complex routing and ACL's, but it's much easier with
>bridging. Static routes are mainly for connecting remote office IP
>blocks on the LAN side.


--
Floyd L. Davidson <http://web.newsguy.com/floyd_davidson>
Ukpeagvik (Barrow, Alaska) (E-Mail Removed)

Jeff Liebermann wrote:

> On Tue, 03 May 2005 09:26:47 -0700, tns1 <(E-Mail Removed)> wrote:
>
>
> Look in the web based setup on the bottom of the Wireless -> Advanced
> settings. It's called "AP Isolation".
>
OK. I don't actually have this unit. I was looking at the manual online.
When you say 'stock firmware', do you mean say the newer firmware no
longer supports this feature?

>
>>My initial reading on laser links suggested 1/2 mile was too much, but I
>>keep reading about some bozo with a $30 laser pointer who lit up the
>>cockpit of 747 from more than a mile away. This info does not match up.
>
> Most FSO stuff that's affordable and user buildable uses LED's, not
> lasers. OSHA safety requirements prevent the use of concentrated
> beams. So, they spread the laser light over perhaps a 1ft dia circle
> and then reconcentrate it at the destination. This passes OSHA specs
> and also prevents many types of interference.
>
I found the Ronja project. Amazing what can be done with lots of time.
The parts may be cheap, but it would cost at least a month of lost
wages. I'll wait until there is an FPGA version.

> The new green lasers are not that much brighter than infra-red when
> measured with an optical pyrometer. However, your eye is much more
> sensitive to the green light. Therefore, green lasers go much
> farthur.
So you're saying a green laser isn't any better for FSO, it just looks
like it is. I don't intend to use retinas as detectors (too slippery to
mount).

> http://www.thinkgeek.com/gadgets/lights/5a47/
> http://www.thinkgeek.com/gadgets/lights/5a47/images/
> http://www.thinkgeek.com/gadgets/lights/5a47/action/

The visible beam is impressive, but would not go over well in a
residential area. I would be the 1st to complain - no neon signs etc.
For that same reason visible LEDs are less desirable.

I do like the possibility of 'drilling' through my problem foilage. A
selective trimming would be much easier to do for a laser. The green
laser could help for alignment of a less visible laser link.

>
>
>>I also see that with the latest firmware (BEFW11Sv0), I get MAC address
>>filtering for wireless clients. It is not clear if I get to restrict and
>>allow as described in the WRT54G manual, or if I just get restrict mode.
>>Since MAC address spoofing is so easy, is MAC filtering of no benefit as
>>well?
>
>
> V0 ?? What's that?
Pre-version 1, my notation for the old model I have.

MAC address filtering is used to allow or prevent
> wireless connections. That will prevent an unauthorized user from
> connecting, but will not offer any restrictions or filters for an
> authorized client.
>
So would this at least require extra work on the part of an evesdropper,
or are you figuring they have sniffed out IP, SSID, MAC, keys, etc. already?

Floyd L. Davidson wrote:

> Jeff Liebermann <(E-Mail Removed)> wrote:
>
>>On Tue, 03 May 2005 09:26:47 -0700, tns1 <(E-Mail Removed)> wrote:
>>
>>
>>>Does static routing work on the '54G?
>>
>>I don't know. I haven't tried it yet. I will (eventually).
>
>
> Yep, it works. However, I use third party firmware (Satori,
> from Sveasoft) and do not configure routing with the web
> interface. When I tried the web interface I found it extremely
> frustrating, plus there is the habit of various of web
> options to clean out the route tables and reset them, so I try
> to avoid the web interface entirely.
>
> Command line configuration, however, has it's own set of
> problems, particularly in trying to figure out how to manually
> set any particular option available via the web interface, and
> how to make the configuration survive a reboot.
>
> The WRT54G(S) routers are very flexible, but taking advantage
> of it is not trivial.
>
>
>>>Can you achieve client isolation
>>>with this?
>>
>>No. There's no connection. Routing is done on layer 3. Client
>
>
> Actually, depending on what you mean by "isolation", it can be
> done. For protocols that are not routed, it can't be done. So,
> for example Jeff had some folks using netbui or something, and
> apparently there was no way to affect that with routing.
>
> However, for IP, you can isolate ranges of addresses. You just
> route them off to somewhere else! That works because of the
> hardware arrangement used by the WRT54G(S). Essentially the WAN
> port is distinct from everything else. The LAN ports and the
> Wireless are all connected to a bridge device and a vlan device.
> The trick to simple isolation is, for IP addresses you want to
> isolate, setting the route to the WAN port and use a LAN port to
> actually connect to the unit.
I am not sure. Does that mean the 'isolated' IP goes nowhere, or does it
mean it effectively comes in on the WAN side of the router with no
direct bridge to the other IPs? If so, what settings are you changing?
>
> Note that the bridge and vlan are command line configurable with
> the third party firmware. I haven't figured out just exactly
> what the "AP Isolation" option does though, and have no pressing
> need to experiment with it, but it is clear that each LAN port
> on the WRT54G(S) can be isolated individually,
Including each wireless client too?
and can be either
> routed or bridged to the others. As noted above, this is not
> trivial... :-)
>
Thanks, but it sounds like a pain-in-the-butt.

On Tue, 03 May 2005 14:06:39 -0700, tns1 <(E-Mail Removed)> wrote:

>OK. I don't actually have this unit. I was looking at the manual online.
>When you say 'stock firmware', do you mean say the newer firmware no
>longer supports this feature?

The Linksys official 3.03.something firmware has "AP Isolation" on the
Wireless -> Advanced page. However, I just noticed that Sveasoft
Satori 4.0.something firmware, has this setting missing. Satori
Alchemy firmware has "AP Isolation". HyperWRT apparently lacks "AP
Isolation".

>I found the Ronja project. Amazing what can be done with lots of time.
>The parts may be cheap, but it would cost at least a month of lost
>wages. I'll wait until there is an FPGA version.

http://ronja.twibright.com/main.php

Well, if you want cheap, take a pair of ethernet to 10baseFL media
converters. Attach a pair of fiber cables at each end. Connect to
some do it thyself optics to spread the beam and collumate it. That's
4 sets of lenses so this is mostly an optical and mechanical project.
I've built a few of these which worked well to about 1000ft. I don't
think they would make it to a mile without additional power. The big
problem is that the lenses focus the light to the end of a fiber with
a 62.5nm diameter. That makes lens alignment extremly critical. See:
http://www.plaintree.com
for a commercial version.

>So you're saying a green laser isn't any better for FSO, it just looks
>like it is.

Something like that. Green will be blocked by fog while infra-red
sorta works.

>> V0 ?? What's that?
>Pre-version 1, my notation for the old model I have.

Oh. Got it. I'm not sure what's the correct notation for the first
release.

Incidentally, it's easy to recognize a programmer in a crowd. Ask
everyone to count to 10. The programmer will start a zero. Everyone
else will start at one.

>So would this at least require extra work on the part of an evesdropper,
>or are you figuring they have sniffed out IP, SSID, MAC, keys, etc. already?

Well, I'm not going to give a tutorial on how to break into a wireless
system. Note that only the data payload is encrypted, but not the
headers. Therefore, an encrypted signal has the MAC, IP, and SSID
exposed, which can be obtained by decryption.

If there's MAC address filter engaged in the router, it will be
slightly more difficult to break in and select a valid MAC address.
It's easy enough to sniff the traffic for a while and extract a list
of authorized MAC addresses. Windoze is kinda stupid in that it uses
the MAC address in the registry, which may or may not be the same as
that of the wireless device. Anyway, MAC address spoofing is easy.
http://www.nthelp.com/NT6/change_mac_w2k.htm
http://www.klcconsulting.net/smac/


--
Jeff Liebermann (E-Mail Removed)
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 AE6KS 831-336-2558

some other ideas - cantennas can be mounted to attic eves using bungee
cord - will blast tru vinyl siding but not aluminum - I have used 2
facing each other for a 3 house jump. You can get your range just using
a single dish. I have surveyed a couple neighborhoods and normally can
find 4 or 5 wifi connections at over .5 mile. A cantenna directed back
at you should guarantee a link but put the dish on the end with the
tree problem as it has a larger aperature to rebuild signal thru moving
foilage. for the dish I avoided building a feed and used a hawking 6db
strapped over the existing feed - mine is a usb wifi adapter type but
they are also available as standalone antennas with a choice of pig
tails just like when ordering cantenna's. -the cantenna & wireless
router would help your security as you could hook a second router
downstream that would hide you from other clients on the main router
-if second router is wireless do not choose same or adjacent channels.
you can also turn off DHCP on both routers and set ips manually to a
nonstandard ip family (basically just don't use 0,1or 2) for third
octet - now you won't issue ip's to strangers and their existing IP is
unlikely to be in your range.

frank wrote:
> some other ideas - cantennas can be mounted to attic eves using bungee
> cord - will blast tru vinyl siding but not aluminum - I have used 2
> facing each other for a 3 house jump. You can get your range just using
> a single dish. I have surveyed a couple neighborhoods and normally can
> find 4 or 5 wifi connections at over .5 mile. A cantenna directed back
> at you should guarantee a link but put the dish on the end with the
> tree problem as it has a larger aperature to rebuild signal thru moving
> foilage. for the dish I avoided building a feed and used a hawking 6db
> strapped over the existing feed - mine is a usb wifi adapter type but
> they are also available as standalone antennas with a choice of pig
> tails just like when ordering cantenna's.

OK. It just clicked that one dish may be enough. I do have a small
direct TV dish with offset feed I could use, but wondered about
designing the feed. Seen any plans for this? I saw the primestar dish
solution, which seems to have a better mount for a wifi feed, but that
dish is probably not available around here.

When you say you just strapped on your AP, was this just taped on? Any
particular orientation? What model did you use?

Both of the laptops I might use for survey work have the antennas built
into the case somewhere, but I do have a spare WPC11 wireless pccard. Do
you think I could hold the laptop up so the wireless card antenna was
close to the feed and see results?

-the cantenna & wireless
> router would help your security as you could hook a second router
> downstream that would hide you from other clients on the main router
> -if second router is wireless do not choose same or adjacent channels.
> you can also turn off DHCP on both routers and set ips manually to a
> nonstandard ip family (basically just don't use 0,1or 2) for third
> octet - now you won't issue ip's to strangers and their existing IP is
> unlikely to be in your range.
>