[ previous ] [ next ] [ threads ]
 
 From:  "Jonathan De Graeve" <Jonathan dot De dot Graeve at imelda dot be>
 To:  "Christian H Borrman" <chb at orange dot net>, <cbuechler at gmail dot com>
 Cc:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] Beta 1.2b10
 Date:  Mon, 19 Sep 2005 11:56:12 +0200
Use the arp table in 1.2b10 to investigate further

J.

---------
Always read the manual for the correct way to do things because the
number of incorrect ways to do things is almost infinite
---------

-----Oorspronkelijk bericht-----
Van: Christian H Borrman [mailto:chb at orange dot net] 
Verzonden: maandag 19 september 2005 11:45
Aan: cbuechler at gmail dot com
CC: m0n0wall at lists dot m0n0 dot ch
Onderwerp: RE: [m0n0wall] Beta 1.2b10

Another point to add:

It is also worth noting that, with 1.2b7 the captive portal worked over
WDS
as well. So for example, wireless client A, could be connected to a
wrt54g
wirelessly, lets call it 192.168.0.4, which in turn was connected
wirelessly
via WDS to wrt54g 192.168.0.3, which in turn was connected wirelessly to
the
wrt54g 192.168.0.2 that was connected via LAN port to m0n0. m0no would
assign DHCP over all those hops, pass the individual client MAC and IP
on to
radius, etc. the rest of the process worked the same on 1.2b7, however,
on
1.2b8 onwards, the first WRT54G would be authed (192.168.02 as below),
and
as below, and anything connecting to any of the WRT54Gs as well as all
the
other WRT54Gs themselves were allowed past the firewall once one user
was
authenticated.

Christian


-----Original Message-----
From: Christian H Borrman [mailto:chb at orange dot net] 
Sent: 19 September 2005 10:26
To: cbuechler at gmail dot com
Cc: m0n0wall at lists dot m0n0 dot ch
Subject: RE: [m0n0wall] Beta 1.2b10

Hi Chris,

To the contrary, there have been quite a few reports of this, including
a
couple of mine in response to others who had the same problem on moving
from
1.2b7 to 1.2b8.

I do not immediately see how it is possible either, however I have now
had
chance to try the standard WRT54G firmware, sveasoft, and EWRT, all
replicating the same problem (all using the LAN port of the WRT54G!) on
1.2b8 to 1.2b10, while it used to work on 1.2b7.

The big difference, looking at logs, is that 1.2b7 behaved like this:

Let assume the following set-up

Wireless client A: IP 192.168.0.254 (assigned by DHCP on m0n0, via
WRT54G)
assigned to MAC 00:00:00:00:c1 Wireless client B: IP 192.168.0.253
(assigned
by DHCP on m0n0, via WRT54G) assigned to MAC 00:00:00:00:c2 WRT54G
connected
via LAN port to monowall: IP 192.168.0.2, static. MAC
00:00:00:00:a1
M0n0wall 192.168.0.1, MAC not important

On 1.2b7 this would happen:

1) Wireless client A is assigned IP x.254 against MAC x:c1, wireless
client
B as above
2) captive portal auth for IP x:254, mac X:c1
3) firewall opened for x:254, max x:c1
4) client B same but IP x.253, MAC x.c2

After 1.2b8 the following happens

1) Wireless client A: assigned IP x.254 against MAC x:c1, wireless
client B
as above
2) captive portal auth for IP x:254, mac X:c1
3) firewall opened for IP and MAC of WRT54G x:2, max x:a1
4) client A, client B and anything else that connects to WRT54G can now
get
through as firewall opened for wrt not client, ,even though these client
details were passed by captive portal, and dhcp still assigning
individual
IPs against individual MACs, and captive portal still passing on and
authing
individual MACs and IPs internally and via Radius.

No, as this point, just in case anyone was now thinking of asking
(again!)
whether we are using the LAN or WAN ports on wrt54g, yes it is the LAN
port
of WRT54G: If this were not the case m0n0 would not be able to assign
dhcp
addresses based on MACs on wrt. Please do not ask this question! m0no
can
assign DHCP properly to clients individual MACs through wrt54g, captive
portal can even pass this info onto radius and auth itself on individual
client MACs, but for some reason the firewall is then opened for the
WRT54g
after 1.2b8 and also with 1.2b10

The only things we can think is that:

1) something messed up on move back to free BSD 4.11 in dhcp, firewall,
captive portal
2) ethernet ports on soekris playing up (there were some reports With
1.2b8
of MAC spoof no longer working on WAN?)
3) big) bugs that were fixed in captive portal on move from 1.2b7 to
1.2b8
opened up this issue

We can dig out logs I believe.

It is a shame because WDS on WRT54G is nothing short of amazing.

Best regards

Christian

-----Original Message-----
From: Chris Buechler [mailto:cbuechler at gmail dot com]
Sent: 19 September 2005 02:51
Cc: m0n0wall at lists dot m0n0 dot ch
Subject: Re: [m0n0wall] Beta 1.2b10

On 9/18/05, Jack Pivac <email at delphinus dot co dot nz> wrote:
> Is that true for all AP's? I have a wireless AP plugged into my LAN 
> and monowall sees the MAC's for all the clients no sweat....
> 

Manuel and I have discussed this offlist and don't see how it's possible
that it's changed behavior on a bridged AP from one of the earlier 1.2
betas
to now.  I have a WRT54G, but haven't had time to try to replicate this
yet.

This one report is the only thing we've heard of this.  It works fine
for
everybody else.

-Chris

---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch





---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch





---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch