[ previous ] [ next ] [ threads ]
 
 From:  Christian H Borrman <chb at orange dot net>
 To:  cbuechler at gmail dot com
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  RE: [m0n0wall] Beta 1.2b10
 Date:  Mon, 19 Sep 2005 10:26:05 +0100
Hi Chris,

To the contrary, there have been quite a few reports of this, including a
couple of mine in response to others who had the same problem on moving from
1.2b7 to 1.2b8.

I do not immediately see how it is possible either, however I have now had
chance to try the standard WRT54G firmware, sveasoft, and EWRT, all
replicating the same problem (all using the LAN port of the WRT54G!) on
1.2b8 to 1.2b10, while it used to work on 1.2b7.

The big difference, looking at logs, is that 1.2b7 behaved like this:

Let assume the following set-up

Wireless client A: IP 192.168.0.254 (assigned by DHCP on m0n0, via WRT54G)
assigned to MAC 00:00:00:00:c1
Wireless client B: IP 192.168.0.253 (assigned by DHCP on m0n0, via WRT54G)
assigned to MAC 00:00:00:00:c2
WRT54G connected via LAN port to monowall: IP 192.168.0.2, static. MAC
00:00:00:00:a1
M0n0wall 192.168.0.1, MAC not important

On 1.2b7 this would happen:

1) Wireless client A is assigned IP x.254 against MAC x:c1, wireless client
B as above 
2) captive portal auth for IP x:254, mac X:c1
3) firewall opened for x:254, max x:c1
4) client B same but IP x.253, MAC x.c2

After 1.2b8 the following happens

1) Wireless client A: assigned IP x.254 against MAC x:c1, wireless client B
as above
2) captive portal auth for IP x:254, mac X:c1
3) firewall opened for IP and MAC of WRT54G x:2, max x:a1
4) client A, client B and anything else that connects to WRT54G can now get
through as firewall opened for wrt not client, ,even though these client
details were passed by captive portal, and dhcp still assigning individual
IPs against individual MACs, and captive portal still passing on and authing
individual MACs and IPs internally and via Radius.

No, as this point, just in case anyone was now thinking of asking (again!)
whether we are using the LAN or WAN ports on wrt54g, yes it is the LAN port
of WRT54G: If this were not the case m0n0 would not be able to assign dhcp
addresses based on MACs on wrt. Please do not ask this question! m0no can
assign DHCP properly to clients individual MACs through wrt54g, captive
portal can even pass this info onto radius and auth itself on individual
client MACs, but for some reason the firewall is then opened for the WRT54g
after 1.2b8 and also with 1.2b10

The only things we can think is that:

1) something messed up on move back to free BSD 4.11 in dhcp, firewall,
captive portal
2) ethernet ports on soekris playing up (there were some reports With 1.2b8
of MAC spoof no longer working on WAN?)
3) big) bugs that were fixed in captive portal on move from 1.2b7 to 1.2b8
opened up this issue

We can dig out logs I believe.

It is a shame because WDS on WRT54G is nothing short of amazing.

Best regards

Christian

-----Original Message-----
From: Chris Buechler [mailto:cbuechler at gmail dot com] 
Sent: 19 September 2005 02:51
Cc: m0n0wall at lists dot m0n0 dot ch
Subject: Re: [m0n0wall] Beta 1.2b10

On 9/18/05, Jack Pivac <email at delphinus dot co dot nz> wrote:
> Is that true for all AP's? I have a wireless AP plugged into my LAN 
> and monowall sees the MAC's for all the clients no sweat....
> 

Manuel and I have discussed this offlist and don't see how it's possible
that it's changed behavior on a bridged AP from one of the earlier 1.2 betas
to now.  I have a WRT54G, but haven't had time to try to replicate this yet.

This one report is the only thing we've heard of this.  It works fine for
everybody else.

-Chris

---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch