Note : Sorry for incomplete message
From: Mohammed Ismail [mailto:m dot ismael at gmail dot com]
Sent: Monday, August 17, 2009 9:22 AM
To: 'Chris Buechler'
Cc: 'm0n0wall at lists dot m0n0 dot ch'
Subject: RE: [m0n0wall] Beta 1.3b17 released
"Windows doesn't care about it, if it can ARP the IP, it'll use it as
its gateway. Other OSes will not do this, your network will not be
usable with FreeBSD for sure (it refuses to add a clearly invalid
default gateway), and likely others as well. It's ugly, don't do it.
It's not solving anything you think it might be solving. Your biggest
issue with internal untrusted clients is going to be ARP poisoning
(whether done in an automated fashion by malware on user's PCs or by
an attacker), which this isn't going to do anything to address, and is
one example of many of why you need a real solution here. Because the
problem is inside your network"
Let us say I used mikrotik router OS, it does some thing there inside the
network. i did not understand what it fully do, but it is done by assigning
/32 subnet mask , and with optional gateway other than LAN IP.
I know this being silly every time I come with strange thing, I just saw it,
what I am thinking of is ISC DHCP can assign a static route for a client.
And many so found on
I am talking about
option subnet-mask ip-address;
The subnet-mask option specifies the client's subnet mask as
RFC 950. If no subnet-mask option is provided anywhere in
as a last resort dhcpd(8) will use the subnet mask from the
net declaration for the network on which an address is being
assigned. However, any subnet-mask option declaration that is
scope for the address being assigned will override the subnet
mask specified in the subnet declaration.
option routers ip-address [, ip-address ...];
The routers option specifies a list of IP addresses for routers
on the client's subnet. Routers should be listed in order of
option mask-supplier flag;
This option specifies whether or not the client should respond
subnet mask requests using ICMP. A value of 0 indicates that
client should not respond. A value of 1 means that the client
option static-routes ip-address ip-address [, ip-address ip-address ...];
This option specifies a list of static routes that the client
should install in its routing cache. If multiple routes to the
same destination are specified, they are listed in descending
order of priority.
The routes consist of a list of IP address pairs. The first
address is the destination address, and the second address is
router for the destination.
The default route (0.0.0.0) is an illegal destination for a
static route. To specify the default route, use the routers
With combination of these we could isolate clients on wired networks
We even after that could use dhcp to disconnect clients bye assigning fake
IP address if arp attack is detected.
So I totally disagree with the following.
"m0n0wall isn't part of the solution as
it can't control these things (aside from the likely infeasible option
of splitting each user onto their own VLAN trunked to m0n0wall"
It is the solution, I know arp is layer2 but it is just as I said above.
And to migrate to that software is like impossible to me, 1st it is not
"free" and I already started with m0n0wall from the beginning of my career
and it is like emotionally connected to it for being FreeBSD.
With some work I guess it could be done.
And I have like 15 device running m0n0wall each provide Internet Access for
75 to 150 Wired Clients. Some networks are OK and others are not.
We could use them for testing.
I know I could start a new image, which I hope to work with me this time
after FreeBSD 6.4 update. But I am not asking for every thing, I am only
talking about making strong DHCP server for m0n0wall.
Yesterday I saw m0n0AP still under b1, but I guess it will be promising for
being m0n0wall based, unlike Pfsense which is going in other direction than
Best Regards ,
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch