[ previous ] [ next ] [ threads ]
 
 From:  Christian H Borrman <chb at orange dot net>
 To:  cbuechler at gmail dot com
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  RE: [m0n0wall] Beta 1.2b10
 Date:  Mon, 19 Sep 2005 10:45:10 +0100
Another point to add:

It is also worth noting that, with 1.2b7 the captive portal worked over WDS
as well. So for example, wireless client A, could be connected to a wrt54g
wirelessly, lets call it 192.168.0.4, which in turn was connected wirelessly
via WDS to wrt54g 192.168.0.3, which in turn was connected wirelessly to the
wrt54g 192.168.0.2 that was connected via LAN port to m0n0. m0no would
assign DHCP over all those hops, pass the individual client MAC and IP on to
radius, etc. the rest of the process worked the same on 1.2b7, however, on
1.2b8 onwards, the first WRT54G would be authed (192.168.02 as below), and
as below, and anything connecting to any of the WRT54Gs as well as all the
other WRT54Gs themselves were allowed past the firewall once one user was
authenticated.

Christian


-----Original Message-----
From: Christian H Borrman [mailto:chb at orange dot net] 
Sent: 19 September 2005 10:26
To: cbuechler at gmail dot com
Cc: m0n0wall at lists dot m0n0 dot ch
Subject: RE: [m0n0wall] Beta 1.2b10

Hi Chris,

To the contrary, there have been quite a few reports of this, including a
couple of mine in response to others who had the same problem on moving from
1.2b7 to 1.2b8.

I do not immediately see how it is possible either, however I have now had
chance to try the standard WRT54G firmware, sveasoft, and EWRT, all
replicating the same problem (all using the LAN port of the WRT54G!) on
1.2b8 to 1.2b10, while it used to work on 1.2b7.

The big difference, looking at logs, is that 1.2b7 behaved like this:

Let assume the following set-up

Wireless client A: IP 192.168.0.254 (assigned by DHCP on m0n0, via WRT54G)
assigned to MAC 00:00:00:00:c1 Wireless client B: IP 192.168.0.253 (assigned
by DHCP on m0n0, via WRT54G) assigned to MAC 00:00:00:00:c2 WRT54G connected
via LAN port to monowall: IP 192.168.0.2, static. MAC
00:00:00:00:a1
M0n0wall 192.168.0.1, MAC not important

On 1.2b7 this would happen:

1) Wireless client A is assigned IP x.254 against MAC x:c1, wireless client
B as above
2) captive portal auth for IP x:254, mac X:c1
3) firewall opened for x:254, max x:c1
4) client B same but IP x.253, MAC x.c2

After 1.2b8 the following happens

1) Wireless client A: assigned IP x.254 against MAC x:c1, wireless client B
as above
2) captive portal auth for IP x:254, mac X:c1
3) firewall opened for IP and MAC of WRT54G x:2, max x:a1
4) client A, client B and anything else that connects to WRT54G can now get
through as firewall opened for wrt not client, ,even though these client
details were passed by captive portal, and dhcp still assigning individual
IPs against individual MACs, and captive portal still passing on and authing
individual MACs and IPs internally and via Radius.

No, as this point, just in case anyone was now thinking of asking (again!)
whether we are using the LAN or WAN ports on wrt54g, yes it is the LAN port
of WRT54G: If this were not the case m0n0 would not be able to assign dhcp
addresses based on MACs on wrt. Please do not ask this question! m0no can
assign DHCP properly to clients individual MACs through wrt54g, captive
portal can even pass this info onto radius and auth itself on individual
client MACs, but for some reason the firewall is then opened for the WRT54g
after 1.2b8 and also with 1.2b10

The only things we can think is that:

1) something messed up on move back to free BSD 4.11 in dhcp, firewall,
captive portal
2) ethernet ports on soekris playing up (there were some reports With 1.2b8
of MAC spoof no longer working on WAN?)
3) big) bugs that were fixed in captive portal on move from 1.2b7 to 1.2b8
opened up this issue

We can dig out logs I believe.

It is a shame because WDS on WRT54G is nothing short of amazing.

Best regards

Christian

-----Original Message-----
From: Chris Buechler [mailto:cbuechler at gmail dot com]
Sent: 19 September 2005 02:51
Cc: m0n0wall at lists dot m0n0 dot ch
Subject: Re: [m0n0wall] Beta 1.2b10

On 9/18/05, Jack Pivac <email at delphinus dot co dot nz> wrote:
> Is that true for all AP's? I have a wireless AP plugged into my LAN 
> and monowall sees the MAC's for all the clients no sweat....
> 

Manuel and I have discussed this offlist and don't see how it's possible
that it's changed behavior on a bridged AP from one of the earlier 1.2 betas
to now.  I have a WRT54G, but haven't had time to try to replicate this yet.

This one report is the only thing we've heard of this.  It works fine for
everybody else.

-Chris

---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch





---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch