On 8/12/05, John Benjamin <john at thebenjs dot com> wrote:
> I have a soekris net4511 setup as a wireless access point (LAN -> wi0:
> 192.168.89.1) and wired to another router as the WAN (WAN -> sis0:
> 192.168.1.67). I am not using the eth1 port.
> When I connected wirelessly and was given a 192.168.89.x address, I was
> able to browse the Local area lan in the 192.168.1.x subnet. I need to have
> wireless clients only be able to get to the internet (e.g., 192.168.89.x ->
> 192.168.89.1 -> 192.168.1.1 -> Internet) and not be able to see any other
> machines or addresses on the 192.168.1.x subnet.
Add a rule on the wireless interface to deny IP all source any,
destination 192.168.1.0/24, above the permit any any default rule.
> Is this what the "block private ip" setting is for?
no, that blocks inbound requests on the WAN sourced from private IP
space, which should never be seen on the Internet.