[ previous ] [ next ] [ threads ]
 
 From:  "James W. McKeand" <james at mckeand dot biz>
 To:  "'Rodman Frowert'" <frowertr at i dash 1 dot net>
 Cc:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] Setting up HotSpot
 Date:  Tue, 31 Aug 2004 17:37:56 -0400 
Make a rule for your Opt1 interface with source of Opt1 Subnet (port any)
and a destination not LAN Subnet (port any - for testing) then restrict
destination ports if want.

_________________________________
James W. McKeand


-----Original Message-----
From: Rodman Frowert [mailto:frowertr at i dash 1 dot net] 
Sent: Tuesday, August 31, 2004 5:17 PM
To: Dana Spiegel; Kevin Coleman
Cc: m0n0wall at lists dot m0n0 dot ch
Subject: Re: [m0n0wall] Setting up HotSpot

I went ahead and changed everything over like you guys suggested.  My LAN is
now on the LAN interface and my ADSL is now on the WAN interface and my
access point is now on the OPT1 interface.  Now the configuration is as
follows:

WAN - IP is DHCP assigned by DSL provider LAN - IP is 192.168.1.1/24 OPT -
IP is 10.10.10.1/24 and DHCP is enabled to give wireless clients IP
addresses in a range of 10.10.10.100 - 10.10.10.254

But I can't get the OPT 1 interface working with my wireless laptop.  I
doesn't even give out an IP address when I turn the laptop computer on (yes,
it is configured to get an IP automatically).  I am guessing it is because I
needed to make a firewall rule,  but for the life of me I can't figure out
the right rule I guess.  All I need is the OPT 1 to access the WAN and NOT
the LAN.

Any ideas or hints on what I am missing?

Rodman


From: "Dana Spiegel" <dana at sociableDESIGN dot com>
To: "Kevin Coleman" <kevin at gabu dot com>
Cc: <m0n0wall at lists dot m0n0 dot ch>
Sent: Tuesday, August 31, 2004 8:59 AM
Subject: Re: [m0n0wall] Setting up HotSpot


> I would also rethink your rules below. Only allowing those ports will 
> make the hotspot very unusable.
>
> People put web servers on ports other than 80 and 443 People use IMAP 
> People use SMTP (and NYCwireless has a totally unrestricted network 
> where we've never seen a spammer send out millions of spam messages) 
> People use S/POP and S/IMAP People use PPTP and IPSEC vpns (this is a 
> big one, especially since wireless hotspots are inherently insecure) 
> People use SSH (and SSH on ports other than 22) People use other 
> applications that make use of other ports
>
> Really your best bet is to put up the Captive Portal page, and set up 
> your network as Kevin recommends below.
>
> Dana Spiegel
> Director, NYCwireless
> dana at nycwireless dot net
> www.nycwireless.net
>
> <mailto:dana at sociableDESIGN dot com>
>
>
> Kevin Coleman wrote:
>
> >I'd take out the Linksys, put your 192.169.1.0/24 network on the LAN 
> >interface, your DSL/cable modem on the WAN interface, and connect 
> >your Wi-Fi AP to the DMZ interface.
> >
> >Then create a firewall rule that enables the DMZ to access the WAN. 
> >By default, LAN will be able to access the internet and DMZ will not 
> >be able to access the LAN.
> >
> >(K)
> >
> >-----Original Message-----
> >From: Rodman Frowert [mailto:frowertr at i dash 1 dot net]
> >Sent: Monday, August 30, 2004 9:16 PM
> >To: m0n0wall at lists dot m0n0 dot ch
> >Subject: [m0n0wall] Setting up HotSpot
> >
> >Hello.  After many hours of labor, I finally got m0n0 running today.  
> >I guess it pays to make sure you actually have a NIC chipset 
> >supported by FreeBSD...
> >
> >Anyway, I have a question or two about using m0n0 with a hotspot I am 
> >installing in my business.  I have a LAN behind my Linksys Nat 
> >router/switch with an IP/subnet range of 192.168.1.0/24.  Only 3 
> >computers connected to the switch.  What I am wanting to do is 
> >connect m0n0 right to the switch on my LAN (through m0n0 WAN device).  
> >Then I want to connect my wireless AP to the m0n0 box.  The problem 
> >is, I don't know if I should use the DMZ/OPT1 interface or the LAN 
> >interface.  I won't need anything connected to the LAN interface on 
> >the m0n0 box so could I actually just connect the AP to the LAN 
> >interface and my hotspot becomes "another lan" in effect?
> >
> >I then need to make sure m0n0 blocks all access to my actually "real"
> >wired
> >lan since all I want the wireless clients to do is surf and not sniff 
> >my network.  Would I simply need to setup a rule for the LAN 
> >interface that would block all outgoing traffic that had a 
> >destination of 192.168.1.0/24.
> >
> >Lastly, I need m0n0 to block access to everything the wireless 
> >clients can do except pop3, http, and https.  Would I simply add a 
> >set of allow rules to the LAN interface again something to the idea 
> >of this:
> >
> >Proto    Source    Port       Destination    Port
> >
> >TCP      LAN net   *           *              80  (HTTP)
> >TCP      LAN net   *           *              110 (POP3)
> >TCP      LAN net   *           *              443 (HTTPS)
> >
> >Then at the bottom of those 3 rules have one that blocks EVERYTHING 
> >else?
> >
> >Thanks in advance for any help, guys!
> >
> >Rodman Frowert
> >
> >
> >---------------------------------------------------------------------
> >To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> >For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> >
> >
> >---------------------------------------------------------------------
> >To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> >For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> >
> >
> >
>


---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch