RE: [m0n0wall] adding external wifi ap via opt1 interface help

From:	"James W. McKeand" <james at mckeand dot biz>
To:	<m0n0wall at lists dot m0n0 dot ch>
Subject:	RE: [m0n0wall] adding external wifi ap via opt1 interface help
Date:	Thu, 31 Mar 2005 12:29:25 -0500
William Reid wrote:
> Hi everyone,
> 
> Here's my layout...
> Mono Details....
> 
> 24.* on wan interface, 192.168.1.* on LAN interface, nothing
special,
> a few port forwards for hosting games, and a few explicit blocks for
> traffic going out of the lan interface.
> 
> what I'm trying to is add a belkin 11 mbps wifi ap router to opti
> interface on it's own segment so that wireless folks can piggy back
> off the wan interface, but not see my machines on the lan 192.168.1*
> range.
> 
> here's the config details
> 
> Opti IP: 192.169.1.1
> Wan IP on Belkin: 192.169.1.2
> Lan IP on Belkin: 192.170.0.1 (dhcp enabled)
> 
> wifi clients can connect and get proper ip, dns and cannot access my
> lan range. but when trying to surf or anything else, the firewall is
> blocking the clients on the wifi range.
> 
> i've tried adding rules to allow all traffic from the opti
interface,
> but I'm guessing because the firewall is seeing traffic on the
belkin
> using a different ip range then the opti ip range, it's blocking it?
> 
> also tried enabling and disabling nat on the belkin as mono most
> likely handles it, but overall same results, tried bridging and same
> thing.
> 
> any ideas?

I think you are trying the right things in the wrong order.

This is how I would do it:
1. Put your OPT on a totally different Subnet (I use 192.168.x.x for
LAN and 172.16.x.x for OPT) - no bridging on OPT interface... Just for
clarity and to avoid fat fingers... 192.168.x.x and 192.169.x.x are
simple to get crossed...

2. Set Belkin to bridge/ap only (no routing) or you may just need to
connect Belkin LAN interface directly to M0n0 OPT interface (i.e.
don't use WAN). Give the Belkin LAN an IP in the 172.16.x.x subnet. I
assume the ap/router has multiple ethernet interfaces (WAN and LAN x
?)... My Belkin AP has one ethernet interface - but it is not a
router...

3. Disable Belkin DHCP - enable DHCP on m0n0wall OPT interface (use a
range that excludes Belkin LAN).

4. Set a firewall rule on m0n0 to pass any traffic on OPT interface
(from OPT subnet) to any destination NOT LAN subnet (check the NOT
box).

OPT Rule Details:
Action:  Pass
Interface:  OPT 
Protocol:  any 
Source:  (do not check box)
Type:    OPT subnet  
Source port range from:  any   
                    to:  any
Destination:  not (check box)
Type:    LAN subnet
Destination port range  from:  any
                          to:  any
Log: only if you want to track where you wireless guests are going...
I would log to remote if you check this...
Description: Default OPT -> Any (not LAN)  

You will be using the Belkin like an access point. Wireless clients
will get IP from m0n0 on 172.16.x.x subnet with m0n0's OPT IP as
gateway and DNS (if DNS forwarding enabled). Firewall rule allows
traffic from OPT subnet to anywhere except LAN subnet (i.e. Internet).
LAN will be able to see OPT clients, unless you edit the default LAN
rule destination to be "NOT OPT subnet"

_________________________________
James W. McKeand