[Techtalk] Designing a Wireless Network
Rudy Zijlstra
rudy at grumpydevil.homelinux.org
Tue Oct 16 08:31:53 UTC 2007
Kai MacTane wrote:
> Aiya, Elwing. Elen sila lumenn'omentielvo!
>
I need to brush up my elven :)
> Elwing wrote:
> >
>
>> See if your WAP supports "bridged" mode. It will basically no longer
>> be a router, and will pass all traffic between the network segments.
>> This has a few implications:
>> 1) you need a DHCP server on the network to serve the wireless
>> devices (if necessary)
>>
>
> Galadriel does DHCP, so that's no problem.
>
>
>> 2) random sniffers/onlookers will have access to your wired network -
>> which may or may not be desirable
>>
This should not be a problem, as the AP will still support WPA(2)-PSK.
Be aware though that with enough patience and enough traffic WPA(2) can
be cracked....
> > [snip]
>
>> I personally use bridged mode on my WAP and assume that anyone on my
>> internal network is malicious, so everything's protected. YMMV
>> according to your needs.
>>
>
> That wouldn't really work for me, due to the presence of the Windows
> machines. I need things to be nice and safe for them. However, given
> Rudy Zijlstra's assertions, below, it might not be a problem. Can you
> verify what he says?
>
>
> Rudy Zijlstra wrote:
>
>> Reading this, i get the idea the wireless AP is giving out IP addresses.
>>
>
> Yes, the WAP has its own built-in firmware NAT/ipmasq firewall and DHCP
> server.
>
> For those who care, the WAP is a D-Link DI-624. Galadriel currently
> gives out IPs in the 192.168.1.* range, and the D-Link (named "Tol
> Eressea") gives out IPs in 192.168.2.*. Sorry, I should have included
> those details.
>
>
This is where your problems start. I've downloaded the user manual of
that device, and its targetted to a different use than you are using it
for. It is a pure router, and its NAT function cannot be disabled.
>> If you can set the AP in bridged mode, then Galadriel would simply hand
>> out IP addresses to them from the already existing pool of addresses.
>>
>
> That would be nifty.
>
>
>> WPA-PSK would still be handled by the AP. Those two are separate
>> functions and no need to have them conflict. WPA-PSK(2) is a security
>> protocol on 802.11 level. DHCP is independent.
>>
>
> Okay, so the problems Elwing mentions are actually moot? A scanner or
> sniffer doesn't get an 802.11 connection, because it has no WPA key, and
> so it's unable to scan or sniff my Ethernet packets? (I'm mostly a
> layer-3-and-higher guy.)
>
True, up to a point.... If you are using WPA2 on all connecting PC's,
then the likelyhood is pretty small, as cracking that one is not easy. A
determined cracker can break it though. It needs loads of information to
do it though. To my understanding, on most home networks (with the
traffic pattern of a normal home network), getting enough information to
break the security will take several weeks of continuous sniffing.
> As it turns out, the string "bridg" doesn't occur anywhere in my WAP's
> manual, so I suspect it doesn't support bridged mode. But *if* bridging
> with WPA-PSK will stop scanners or sniffers, then it sounds like it'd
> solve my problem, and I'd see if I can just buy a new WAP.
>
>
for normal use, WPA(2) will stop the occasional sniffer. Simplest way
out is to get a different WAP. Take care before buying though....
Cannot give you a recommendation, as the type i am using is no longer sold.
Cheers,
Rudy
> --Kai MacTane
>
More information about the Techtalk
mailing list