[Techtalk] Designing a Wireless Network

Kai MacTane kmactane at gothpunk.com
Tue Oct 16 03:38:32 UTC 2007 

Aiya, Elwing. Elen sila lumenn'omentielvo!

Elwing wrote:
 >
> See if your WAP supports "bridged" mode.  It will basically no longer  
> be a router, and will pass all traffic between the network segments.   
> This has a few implications:
> 1) you need a DHCP server on the network to serve the wireless  
> devices (if necessary)

Galadriel does DHCP, so that's no problem.

> 2) random sniffers/onlookers will have access to your wired network -  
> which may or may not be desirable
 > [snip]
> I personally use bridged mode on my WAP and assume that anyone on my  
> internal network is malicious, so everything's protected.   YMMV  
> according to your needs.

That wouldn't really work for me, due to the presence of the Windows 
machines. I need things to be nice and safe for them. However, given 
Rudy Zijlstra's assertions, below, it might not be a problem. Can you 
verify what he says?


Rudy Zijlstra wrote:
> Reading this, i get the idea the wireless AP is giving out IP addresses.

Yes, the WAP has its own built-in firmware NAT/ipmasq firewall and DHCP 
server.

For those who care, the WAP is a D-Link DI-624. Galadriel currently 
gives out IPs in the 192.168.1.* range, and the D-Link (named "Tol 
Eressea") gives out IPs in 192.168.2.*. Sorry, I should have included 
those details.

> If you can set the AP in bridged mode, then Galadriel would simply hand 
> out IP addresses to them from the already existing pool of addresses.

That would be nifty.

> WPA-PSK would still be handled by the AP. Those two are separate 
> functions and no need to have them conflict. WPA-PSK(2) is a security 
> protocol on 802.11 level. DHCP is independent.

Okay, so the problems Elwing mentions are actually moot? A scanner or 
sniffer doesn't get an 802.11 connection, because it has no WPA key, and 
so it's unable to scan or sniff my Ethernet packets? (I'm mostly a 
layer-3-and-higher guy.)

As it turns out, the string "bridg" doesn't occur anywhere in my WAP's 
manual, so I suspect it doesn't support bridged mode. But *if* bridging 
with WPA-PSK will stop scanners or sniffers, then it sounds like it'd 
solve my problem, and I'd see if I can just buy a new WAP.

                                                 --Kai MacTane
----------------------------------------------------------------------
"I'm terrified, intoxicated, starry-eyed and bollock naked,
  Child-bearing, adult-rated, and thoroughly re-educated..."
                                                 --Carter USM,
                                                  "Re-Educating Rita"

More information about the Techtalk mailing list