Hi,

I am trying to secure a wireless router which is also running my LAN. Until I can get some more hardware I have installed arno iptables firewall on my Slackware boxes and it seems to do most of what I want. All the boxes on the LAN can talk to each other except for the wireless nodes which come in on certain IPs. The wired boxes have dedicated IPs so they shouldn't be leased to wireless nodes. It seems like its working because the wired boxes can get to my webserver but the wireless nodes can't which is what I want.

I notice I can't protect against NMAP obtaining the MAC of the wired LAN boxes.

How is this information being obtained and can I create an iptables rule to stop it?

Thanks.

Are the wired and wireless hosts on the same LAN?

EDIT: Actually, nevermind. If the MACs are visible they are obviously on the same LAN.

MAC addresses are obtained as part of (and required for) layer 2 ethernet communication. See the OSI model enumeration for more details on that.

IIRC, iptables is able to perform layer 2 filtering, but I am not sure it will solve the problem you're describing.

If the goal is simply to cloak the true MAC addresses of the NICs in the wired boxes, another possibility may be to spoof their MAC addresses to something fictional of your choosing.

Hi guys, it was too late when I realized the MAC addresses are part of the packets. But it should go away once it crosses the NAT layer in the router, correct? Then it will be only the MAC of the router.

I started another thread and didn't get much feedback but what I am trying to do is to allow certain people to get to the internet using my wireless router but I want them off my LAN so that the inevitable hacking doesn't lead to compromising my LAN. All I have is one DSL router. I did all the obvious stuff like using a strong passphrase and having a list of authenticated MACs but I still don't trust it. Maybe I could set up a subnet for the wireless clients but I couldn't figure out how to do it on this router.

What's the correct way to accomplish this? I basically want to firewall my LAN but allow wireless clients to get only to the internet and not see my LAN at all. Do I just slap a hardware firewall behing my router and run all the LAN off of it? If these questions don't make sense it's because I haven't ever looked into networking. It just kind of happened badly as I got more boxes. Thank you.

Technically they are part of the frames which the packets are encapsultaed in. And yes, they only work within the LAN, as frames are non-routable (unlike packets).

That's definitely an option worth considering. BTW, if you could post the brand/model of the router it would be great, as we could look at its feature set.