Re: [m0n0wall] m0n0wall compatible Gigabit hardware?

From:	Hilton Travis <Hilton at QuarkAV dot com>
To:	Adam Nellemann <adam at nellemann dot nu>
Cc:	m0n0wall at lists dot m0n0 dot ch
Subject:	Re: [m0n0wall] m0n0wall compatible Gigabit hardware?
Date:	Tue, 09 Mar 2004 09:28:41 +1000
On Tue, 2004-03-09 at 02:12, Adam Nellemann wrote:
> Hi Hilton,
> 
> Once again, thanks for all your info.
> 
> I mail you directly as this is mainly comments and followup questions, 
> perhaps not too interesting for for the rest of the list readers (but 
> feel free to post any of this if you feel it would be of interest to 
> others):
> 
> Hilton Travis wrote:
> 
> > A 10/100/1000 would always be better for adding other devices, than a
> > pure 1000 switch - such as additional PCs that are being used on a
> > temporary basis, routers, etc.
> 
> Yeah, I hear you. I'll see if I can find such a switch that won't 
> clean out my account :)

Cisco makes some good gear.  Are you a millionnaire?  :)  D-Link also
makes decent kit - I've used their NICs for 10 or more years, and have
had only a single NIC fail.  I've not used their switches as much, but
they've always been decent.

> >>The idea was to use Gigabit to my workstation (I'll then have to learn 
> >>to live with the cable of course), but preserve the wireless for my 
> >>other, less speed craving, machines.
> > 
> > Don't you also have a video and power cable to your workstation?  What
> > difference will the addition of a network cable make?
> 
> The difference is that my m0n0wall (and other server/internet/phone 
> gear) are in a diningroom closet, while my workstation (and its 
> monitor and power socket) are in my livingroom. I will thus need to 
> drill a couple of holes in some walls and figure out how to run the 
> cables so the don't look to obvious. But it will probably be worth the 
> effort!

Run the cables in the ceiling/wall space and use wall plates to bring it
into the room - this will produce the cleanest results.  Ducting/channel
will clean up any runs of cable down the walls that you can see.

> > Don't forget that WiFi is a shared bandwidth solution - like the old
> > network hubs were.  This is the reason for the pathetic performance per
> > PC.  Remember, this is why we've all moved to switches - way faster
> > throughput.
> 
> This is quite important to me: Does this go for "true" accesspoints as 
> well as my current (PRISM based) PCI card? I was under the impression 
> that your typical accesspoint would allow a reasonable number of 
> clients to each get a full speed connection at the same time? (Of 
> course depending on the standard and if there are mixed clients etc.)

Nope, WiFi is a shared-bandwidth architecture.  The AP will communicate
on one of the WiFi bandwidth allocations, and all clients will need to
use this channel to communicate.  This communication takes place as it
did in hubs - if something's talking, the rest have to shut up and wait.

> If WLAN is always "shared bandwidth" I will probably go for a complete 
> TP solution for all my stationary PCs, keeping the WLAN only for 
> portables and guests, whereas I might want to use WLAN for all my PCs, 
> except my workstation, in case that I could expect the full bandwidth 
> to each of these, regardless of the number of connected clients (there 
> should never be more than 2-5 at any given time).

http://www.mcmaster.ca/cis/network/wireless/wlsoverview.htm may provide
a bit of insight to WiFi.  There's really not a lot of good info out
"there" on WiFi bandwidth usage.

If you used a traditional wired network with a switch, all PCs can have
a full 200 Mbps communication (full duplex) assuming that you don't have
3 PCs accessing a single PC - then they'll get 66 Mbps each -
obviously.  Then you need to drop aboot 25% as network overhead for
Ethernet.  Wired will be significantly faster than WiFi.

> > Also, MAKE SURE that all machines on the WiFi network are running the
> > same protocol - all 802.11b or 802.11g, but not a mixture of both.  If
> > you have a mixture, use one 802.11b AP and another 802.11g AP as this
> > will increase net throughput.
> 
> Yarh, I know about this little caveat. Currently I run a b-only WLAN, 
> but the plan was to upgrade to a g-only WLAN (preferably 108Mbps capable).

108 Mbps is 5 MHz, innit?  Effectively 802.11a/Turbo.  Or so I've been
reading.

> Btw. I think I've heard about some of the newer APs being able to run 
> each segment at its full speed, even in mixed WLANs!

That is possible if they have dual transmitters/receivers, and they'd be
significantly more expensive than the older ones, I'd imagine.

> >>I guess there would be some advantage in placing the AP on OPT1 
> >>through a 100Mbps NIC, instead of going through the Gigabit switch.
> > 
> > Definitely.  You can then assign a different network to the WiFi PCs and
> > filter the traffic through the m0n0wall.  Also, make sure that you
> > implement WPA security - WEP is a joke, MAC filtering isn't much better,
> > and SSID hiding is not even worth the waste of time to set it up.
> 
> I currently run with different subnets for the LAN and WLAN interface 
> in m0n0wall, but I guess I don't strictly need it (I probably might as 
> well bridge the two interfaces). Currently my LAN is closed to the 
> WAN, but this will have to change soon anyway, making the two subnets 
> more or less identical with respect to firewall rules etc.

If you bridge the LAN and OPT1 interfaces, it seems that DHCP fails to
allocate IPs to your OPT1 interface.  See Dave Kitchens' recent post on
the subject.

> I'm aware of WEP being "insufficient" (to put it mildly), but I wasn't 
> aware that there were any alternatives offered with m0n0wall (aside 
> from using PPTP tunnels, which I haven't gotten around to implementing 
> yet).

Or, better still, IPSEC.  :)

> I'd very much like to use MAC filtering and disable the SSID 
> broadcast, even if this isn't foolproof (it should still help a 
> little, adding to the overall WLAN security), but I didn't think this 
> was possible with m0n0wall (according to Manuel it is to do with the 
> driver implementation for the wireless interfaces or some such?) If it 
> is, please let me know how to enable and set up these things? Also: 
> How do I use WPA with m0n0wall?

Using MAC filtering is almost decent.  Almost.  Disabling SSID broadcast
is as effective as WEP is - Windows XP can even be used to display the
SSID of a broadcast-disabled AP!  :)  The inability of m0n0wall to
disable SSID broadcasting isn't *really* a security concern.

> > I've seen reports that Intel Gigabit Copper NICs work fine.  I'd also have 
> > expected this as they have a single driver that supports almost all of their 
> > NICs.
> 
> I'll go with the Intel NICs. Are you saying that these should also 
> work with m0n0wall? (Not that I think I'll need that, at least not 
> straight away, but would be nice to know my Gigabit cards are 
> compatible just in case I might need it later on.)

Yes, that was exactly what I was saying - reports are that they work
fine.

-- 

Regards,

Hilton Travis                   Phone: +61-(0)7-3343-3889
Manager, Quark AudioVisual      Phone: +61-(0)419-792-394
         Quark Computers         http://www.QuarkAV.com/
(Brisbane, Australia)            http://www.QuarkAV.net/

Open Source Projects:		http://www.ares-desktop.org/
				http://www.mamboband.org/

Non Linear Video Editing Solutions & Digital Audio Workstations
 Network Administration, SmoothWall Firewalls, NOD32 AntiVirus
  Conference and Seminar AudioVisual Production and Recording

War doesn't determine who is right. War determines who is left.