[ previous ] [ next ] [ threads ]
 
 From:  Chris Buechler <cbuechler at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] WAN private subnet
 Date:  Sat, 13 Aug 2005 13:38:20 -0400
On 8/12/05, John Benjamin <john at thebenjs dot com> wrote:
> I have a soekris net4511 setup as a wireless access point (LAN -> wi0:
> 192.168.89.1) and wired to another router as the WAN (WAN -> sis0:
> 192.168.1.67).  I am not using the eth1 port.
> 
>  When I connected wirelessly and was given a 192.168.89.x address, I was
> able to browse the Local area lan in the 192.168.1.x subnet.  I need to have
> wireless clients only be able to get to the internet (e.g., 192.168.89.x ->
> 192.168.89.1 -> 192.168.1.1 -> Internet) and not be able to see any other
> machines or addresses on the 192.168.1.x subnet.
> 

Add a rule on the wireless interface to deny IP all source any,
destination 192.168.1.0/24, above the permit any any default rule.


>  Is this what the "block private ip" setting is for?
> 

no, that blocks inbound requests on the WAN sourced from private IP
space, which should never be seen on the Internet.

-Chris