• • wrote:
> Isolating the traffic on a single LAN with different subnets is not
> very easy.  It is especially difficult when you have no control over
> the clients.  If they turn off DHCP and assign themselves a static 172
> address then they become goodguys.  Using {some freely and publicly
> available tools} they could quite trivially take over the m0n0
> gateway's MAC address and direct all LAN traffic via their laptop
> man-in-the-middle style - taking over the gateway with sufficient
> physical and logical access takes about 10 seconds... After which you
> can sniff all traffic and brute force/db lookup all the password
> hashes collected, etc etc.

thanx for the clarification. at first, ithought, well, it's my private 
net, i know the people i let in, and if they want to sniff on me, they'd 
rather steal my laptop.

but then, after reminding myself that i wanted to add a wireless access 
point - you get the point(s).

d'oh.

definitely not the way to go.

> 
> VLANs are the not answer. They reduce the collision domain and provide
> the ability to significantly increase port density in large networks.
> Any one can use packet rewriting software to insert the appropriate
> vlan tags/sniff from the wire.

yeah, thanx to you and Chris, i figured out this was another layer 8 
problem on my side. ;-)


> It's probably easier to install another interface into your existing/a
> new m0n0, then all this goes away and becomes a simple interface-based
> firewall rule :)

how would i do that? i didn't find a mini pci copper network card yet 
here in germany. The wrapboard costs much anyway - though the high price 
is a relative thing if you consider the savings on electricity (over 
here in germany, that is).

i will probably go for a 2 router setup and leave my wrap for the fine 
net and DMZ. That way, the other people here can have a slight chance of 
knowing what's happening, when i'm not there / if i move out.

thanks a lot

Thomas