[ previous ] [ next ] [ threads ]
 From:  A dot L dot M dot Buxey at lboro dot ac dot uk
 To:  Melvin Backus <melvin at sleepydragon dot net>
 Cc:  Robert Bialecki <robert at mpiwifi dot com>, m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Firewall Quiestion
 Date:  Wed, 26 Jan 2005 20:28:23 +0000

> OK, think about it a little differently.  The WAN side of your m0n0, the 
> internet, is like the water line in your house.  Your m0n0 box is a 
> faucet.  All the lan machines are in the bath tub, and m0n0 can control 
> what gets into the tub, but how would you expect to keep the water in 
> one part of the tub from mixing with another part?  If you create 
> separate tubs, then you can do it, but in order to do that, you have 
> created separate lans.  VLANs might work if your equipment supports it, 
> or multiple interfaces on m0n0 would support it, but each machine would 
> have to be on a separate lan, otherwise, they all get to see everything 
> else.  By definition, only traffic which is on a different subnet goes 
> to the gateway (m0n0).  Everything else goes directly from machine to 
> machine.

nice analogy.

What you can do (and something we've played with before on our main network)
is to 'break' the clients from seeing each other. this can be simply done by
sending them a network setup via DHCP which doesnt let them see each other
but does let them see the router (ie m0n0wall). This particular method simply
use the netmask. set at a suitable value their machine 'works' but they cant talk
to others. I'm not sure if m0n0s DHCP settings allows the required settings
to be sent, but this is a way of doing what you ask.

of course, as normal wireless APs are just hubs then theres no way of stopping
the clients sniffing the traffic with the correct tools...but they wouldnt
be doing trivial IP traffic connections as they are now.