[ previous ] [ next ] [ threads ]
 
 From:  "Magne Andreassen" <magne dot andreassen at bluezone dot no>
 To:  "'mono'" <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Securing that wi-fi network...
 Date:  Mon, 29 Sep 2003 03:51:56 +0200
Hi,

Need to share some thoughts on wireless networking with m0n0wall. ;)
Please comment(pros or cons) on this.

WEP is, as we all know, pretty bogus. And i cant understand why people
feel secure
when using it. Of course it is more secure than running without, but if
someone
wants to, they can easy hack it. So what, you say? Well, if you are a
bit paranoid
like me, you like to have a little control over who is accessing your
network, and 
since pretty much anyone can connect to your wireless network(if not
properly 
configured), one should take his/her precausions.

I would like to have some kind of encryption other/in addition to WEP
for my wireless 
clients. I also want users connecting to my wireless network to
authenticate themselves. 
Either to the bulit in PPTP service in m0n0wall, or since im running
Win2000 Active 
Directory, to my windoze wannabe RADIUS service. I like the VPN feature
of m0n0wall, 
and use it to connect via internet. So why not use it for wireless?
One thing tough; DHCP is generally a bad idea on wireless networks, but
i really
want this since changing ip adress config on my windows 2k laptop is
boring when
roaming between school, work and home.
I am aware that dhcp works on wireless interface in brigde mode(with
LAN). Problem 
is that no filter rules apply in brigde mode.

So what i am thinking:
-DHCP on wireless interface. (not possible in m0n0wall(...yet))
-Enable PPTP server in m0n0wall.
-Add some firewall rules on wireless interface:
	GRE Wireless net * * *				- for VPN
	TCP Wireless net * * 1723			- for VPN
	UDP * 68 wi-ip 67					- DHCP
	UDP * 68 255.255.255.255 67			- DHCP
	UDP wi-ip 67 * 68					- DHCP

And you are good to go! works like a charm :)
Your wireless clients will now get a leased ip-address, but cannot
connect to internet 
or your LAN, untill they authenticate to the PPTP service in m0n0wall.
In windows, a simple setup of a new network vpn connection does the
trick!
Only thing needed to be done on m0n0wall, is adding DHCP for optional
interfaces and
maby include the above firewall rules into the filter.inc file. (or one
could add these
manually as i did).

Does this sound like fun or not?
Same effect can ofcourse be achieved with static ip-adresses, but i hate
changing those
ip adresses all the time! :)

I will, if not anyone else is already looking into it, write the code
for the dhcp
on optional interfaces as soon as i get the time, and post a note to the
list...


Magne