Using a WAG354G as a wifi AP, with port range blocking

Hi,

I have for some time had this box working, as a simple ethernet-in
wifi AP.

The ethernet side connects to the home LAN.

Now I am trying to block ports 81-442 and 444-65535.

This is to prevent somebody (who has the WPA password, e.g. a guest in
our house) seeing the computers on the LAN. In particular I want to
block the Netbios ports c. 138.

I have done this successfully on a WRT54GC, but it took a huge amount
of fiddling. The two boxes are somewhat similar but not similar
enough.

The 54GC is running in a "Static IP" mode, with DHCP for the wifi
clients.

The 354G has been running in a "Bridge Mode Only" mode, without DHCP
(so the client IPs are allocated by the router on the LAN).

The 354G options are

Bridge Mode Only
RFC1483 Bridged
RFC1483 Routed
RFC2516 PPPOE
RFC2364 PPPOA

In Bridge Mode Only it works but I cannot get the access restrictions
to do anything at all. That part of the config is very similar to the
54GC one, which works OK.

Can anybody suggest anything I might be doing wrong?

Under the PCs, I have set up an IP range of 192.... 1 to 254 so every
possible wifi client should qualify for the block.

Many thanks...

Peter wrote...

>
> Hi,
>
> I have for some time had this box working, as a simple ethernet-in
> wifi AP.
>
> The ethernet side connects to the home LAN.
>
> Now I am trying to block ports 81-442 and 444-65535.
>
> This is to prevent somebody (who has the WPA password, e.g. a guest in
> our house) seeing the computers on the LAN. In particular I want to
> block the Netbios ports c. 138.
>
> I have done this successfully on a WRT54GC, but it took a huge amount
> of fiddling. The two boxes are somewhat similar but not similar
> enough.
>
> The 54GC is running in a "Static IP" mode, with DHCP for the wifi
> clients.
>
> The 354G has been running in a "Bridge Mode Only" mode, without DHCP
> (so the client IPs are allocated by the router on the LAN).
>
> The 354G options are
>
> Bridge Mode Only
> RFC1483 Bridged
> RFC1483 Routed
> RFC2516 PPPOE
> RFC2364 PPPOA
>
> In Bridge Mode Only it works but I cannot get the access restrictions
> to do anything at all. That part of the config is very similar to the
> 54GC one, which works OK.
>
> Can anybody suggest anything I might be doing wrong?
>
> Under the PCs, I have set up an IP range of 192.... 1 to 254 so every
> possible wifi client should qualify for the block.
>
> Many thanks...


Can't you just hide your computer on the network?

Jon <(E-Mail Removed)> wrote

>
>Can't you just hide your computer on the network?
>
How?

I do need to access it (and vice versa) from some other computers. All
are ethernet connected together.

I just want to have no network capability to any wifi connected
devices.

As I posted, I already have this working fine on the other wifi AP,
but can't get it working on the 354G. Whatever I do, it either blocks
everything, or apparently nothing.

Peter wrote...

>
> Jon <(E-Mail Removed)> wrote
>
> >
> >Can't you just hide your computer on the network?
> >
> How?


Depends upon your OS - there are several how-to's on the interweb. Dunno if it
works as I've not had a need to do it.

http://www.watchingthenet.com/hide-y...ndows-network-
neighborhood.html

http://www.vistax64.com/tutorials/17...e-network.html

If I thought a visitor was poking into my pc - I'd cut the fuckers connection



>
> I do need to access it (and vice versa) from some other computers. All
> are ethernet connected together.
>
> I just want to have no network capability to any wifi connected
> devices.
>
> As I posted, I already have this working fine on the other wifi AP,
> but can't get it working on the 354G. Whatever I do, it either blocks
> everything, or apparently nothing.

Peter <occassionally-(E-Mail Removed)> considered Sun, 16 Oct
2011 11:51:36 +0100 the perfect time to write:

>Hi,
>
>I have for some time had this box working, as a simple ethernet-in
>wifi AP.
>
>The ethernet side connects to the home LAN.
>
>Now I am trying to block ports 81-442 and 444-65535.
>
>This is to prevent somebody (who has the WPA password, e.g. a guest in
>our house) seeing the computers on the LAN. In particular I want to
>block the Netbios ports c. 138.
>
>I have done this successfully on a WRT54GC, but it took a huge amount
>of fiddling. The two boxes are somewhat similar but not similar
>enough.
>
>The 54GC is running in a "Static IP" mode, with DHCP for the wifi
>clients.
>
>The 354G has been running in a "Bridge Mode Only" mode, without DHCP
>(so the client IPs are allocated by the router on the LAN).
>
>The 354G options are
>
>Bridge Mode Only
>RFC1483 Bridged
>RFC1483 Routed
>RFC2516 PPPOE
>RFC2364 PPPOA
>
>In Bridge Mode Only it works but I cannot get the access restrictions
>to do anything at all. That part of the config is very similar to the
>54GC one, which works OK.
>
>Can anybody suggest anything I might be doing wrong?
>
>Under the PCs, I have set up an IP range of 192.... 1 to 254 so every
>possible wifi client should qualify for the block.
>
>Many thanks...

The problem you have is that you have put them all in the same subnet,
so there is no routing between them - they communicate directly with
each other on the same logical network.

Set up a different block of IP addresses for the dhcp Wifi clients,
with no routing between the two subnets.
Anything you use that does need to reach the local network can be
given an IP on the same subnet as the other private ones, either with
a dhcp reservation or by setting it on the client.
You can either do this by splitting the RFC1918 class C you're already
using into smaller subnets with CIDR ( /25 or /26 would be ok,
although you probably only need /29) or by adding another class C for
them to use.

Phil W Lee <(E-Mail Removed)> wrote:

>The problem you have is that you have put them all in the same subnet,
>so there is no routing between them - they communicate directly with
>each other on the same logical network.
>
>Set up a different block of IP addresses for the dhcp Wifi clients,
>with no routing between the two subnets.

OK, I get that, many thanks.

That explains why it works on one and not the other.

I still can't see why one cannot simply drop packets with specific
port numbers in them, however. You don't need different subnets for
that.

>Anything you use that does need to reach the local network can be
>given an IP on the same subnet as the other private ones, either with
>a dhcp reservation or by setting it on the client.
>You can either do this by splitting the RFC1918 class C you're already
>using into smaller subnets with CIDR ( /25 or /26 would be ok,
>although you probably only need /29) or by adding another class C for
>them to use.

I will enable the DHCP client on that AP and see if that makes the
packet filtering work.

Phil W Lee <(E-Mail Removed)> wrote

>Set up a different block of IP addresses for the dhcp Wifi clients,
>with no routing between the two subnets.

Problem: if the Bridge Mode Only is selected, the DHCP option is
greyed out.

Which of the others would you suggest?

Peter <(E-Mail Removed)> considered Mon, 17 Oct 2011 14:29:34
+0100 the perfect time to write:

>
> Phil W Lee <(E-Mail Removed)> wrote:
>
>>The problem you have is that you have put them all in the same subnet,
>>so there is no routing between them - they communicate directly with
>>each other on the same logical network.
>>
>>Set up a different block of IP addresses for the dhcp Wifi clients,
>>with no routing between the two subnets.
>
>OK, I get that, many thanks.
>
>That explains why it works on one and not the other.
>
>I still can't see why one cannot simply drop packets with specific
>port numbers in them, however. You don't need different subnets for
>that.

No, but you do need something to be routing between the Wifi and
ethernet segments (which examines and uses the header information in
the IP packets), rather than just bridging (which just throws
everything across).
>
>>Anything you use that does need to reach the local network can be
>>given an IP on the same subnet as the other private ones, either with
>>a dhcp reservation or by setting it on the client.
>>You can either do this by splitting the RFC1918 class C you're already
>>using into smaller subnets with CIDR ( /25 or /26 would be ok,
>>although you probably only need /29) or by adding another class C for
>>them to use.
>
>I will enable the DHCP client on that AP and see if that makes the
>packet filtering work.

Use a different subnet, like 192,168.2.n instead of 192,168.1.n, and
careful how you set the default gateways.
If there's any firewall capability on the Wifi router, you can use
that to filter on port.

On Mon, 2011-10-17 at 21:29 +0100, Phil W Lee wrote:
> No, but you do need something to be routing between the Wifi and
> ethernet segments (which examines and uses the header information in
> the IP packets), rather than just bridging (which just throws
> everything across).

IP routing will examine and use the information in the IP headers, and
Ethernet bridging will examine and use the information in the Ethernet
headers.

In either case, firewalling and blocking selected traffic will involve
looking at *more* of the packet than would normally be necessary.

There's absolutely no reason why a bridge can't do filtering. See
http://ebtables.sourceforge.net/ for example.

I'm fairly sure the WAG354G runs OpenWRT, even if it doesn't support
ebtables out of the box. So it should be possible to set this up.

But really, I'd just ask the ISP for a new range of IP addresses to use
on the wireless side, and route it instead.

--
dwmw2

David Woodhouse <(E-Mail Removed)> considered Tue, 18 Oct 2011
08:49:17 +0100 the perfect time to write:

>On Mon, 2011-10-17 at 21:29 +0100, Phil W Lee wrote:
>> No, but you do need something to be routing between the Wifi and
>> ethernet segments (which examines and uses the header information in
>> the IP packets), rather than just bridging (which just throws
>> everything across).
>
>IP routing will examine and use the information in the IP headers, and
>Ethernet bridging will examine and use the information in the Ethernet
>headers.
>
>In either case, firewalling and blocking selected traffic will involve
>looking at *more* of the packet than would normally be necessary.
>
>There's absolutely no reason why a bridge can't do filtering. See
>http://ebtables.sourceforge.net/ for example.

I know that - I've configured bridge filters since I was doing it to
keep netbeui traffic (yuk) off a mixed oslan/IP/IPX network with a
filter running on CP/M-86.
But you need the right hardware and software to do it, which seemed
unlikely in this scenario.
>
>I'm fairly sure the WAG354G runs OpenWRT, even if it doesn't support
>ebtables out of the box. So it should be possible to set this up.
>
>But really, I'd just ask the ISP for a new range of IP addresses to use
>on the wireless side, and route it instead.