[Techtalk] Designing a Wireless Network

Tue Oct 16 08:31:53 UTC 2007

Kai MacTane wrote:
> Aiya, Elwing. Elen sila lumenn'omentielvo!
>   
I need to brush up my elven :)
> Elwing wrote:
>  >
>   
>> See if your WAP supports "bridged" mode.  It will basically no longer  
>> be a router, and will pass all traffic between the network segments.   
>> This has a few implications:
>> 1) you need a DHCP server on the network to serve the wireless  
>> devices (if necessary)
>>     
>
> Galadriel does DHCP, so that's no problem.
>
>   
>> 2) random sniffers/onlookers will have access to your wired network -  
>> which may or may not be desirable
>>     

This should not be a problem, as the AP will still support WPA(2)-PSK. 
Be aware though that with enough patience and enough traffic WPA(2) can 
be cracked....

>  > [snip]
>   
>> I personally use bridged mode on my WAP and assume that anyone on my  
>> internal network is malicious, so everything's protected.   YMMV  
>> according to your needs.
>>     
>
> That wouldn't really work for me, due to the presence of the Windows 
> machines. I need things to be nice and safe for them. However, given 
> Rudy Zijlstra's assertions, below, it might not be a problem. Can you 
> verify what he says?
>
>
> Rudy Zijlstra wrote:
>   
>> Reading this, i get the idea the wireless AP is giving out IP addresses.
>>     
>
> Yes, the WAP has its own built-in firmware NAT/ipmasq firewall and DHCP 
> server.
>
> For those who care, the WAP is a D-Link DI-624. Galadriel currently 
> gives out IPs in the 192.168.1.* range, and the D-Link (named "Tol 
> Eressea") gives out IPs in 192.168.2.*. Sorry, I should have included 
> those details.
>
>   
This is where your problems start. I've downloaded the user manual of 
that device, and its targetted to a different use than you are using it 
for. It is a pure router, and its NAT function cannot be disabled.
>> If you can set the AP in bridged mode, then Galadriel would simply hand 
>> out IP addresses to them from the already existing pool of addresses.
>>     
>
> That would be nifty.
>
>   
>> WPA-PSK would still be handled by the AP. Those two are separate 
>> functions and no need to have them conflict. WPA-PSK(2) is a security 
>> protocol on 802.11 level. DHCP is independent.
>>     
>
> Okay, so the problems Elwing mentions are actually moot? A scanner or 
> sniffer doesn't get an 802.11 connection, because it has no WPA key, and 
> so it's unable to scan or sniff my Ethernet packets? (I'm mostly a 
> layer-3-and-higher guy.)
>   
True, up to a point.... If you are using WPA2 on all connecting PC's, 
then the likelyhood is pretty small, as cracking that one is not easy. A 
determined cracker can break it though. It needs loads of information to 
do it though. To my understanding, on most home networks (with the 
traffic pattern of a normal home network), getting enough information to 
break the security will take several weeks of continuous sniffing.

> As it turns out, the string "bridg" doesn't occur anywhere in my WAP's 
> manual, so I suspect it doesn't support bridged mode. But *if* bridging 
> with WPA-PSK will stop scanners or sniffers, then it sounds like it'd 
> solve my problem, and I'd see if I can just buy a new WAP.
>
>   
for normal use, WPA(2) will stop the occasional sniffer. Simplest way 
out is to get a different WAP.  Take care before buying though....
Cannot give you a recommendation, as the type i am using is no longer sold.

Cheers,

Rudy
>                                                  --Kai MacTane
>   