Hi,

I currently have a wired LAN with a linux box running ipchains to masquerade traffic between the wired LAN and an internet connection. The linux machine has two NIC's installed, one that connects to the Internet (WAN), and one that connects to my hub for the rest of my LAN. This setup works very well for me, but now I want to add an 802.11b wireless access point. I'll be using WEP, but feel that is not enough to secure the network. How can I best integrate the 802.11b access point into the current network without sacrificing the security I have already set up with the linux firewall?

I've thought about putting a third NIC into the same linux machine and giving that NIC an address in a different subnet from the wired LAN. I would then connect the wireless access point to this third NIC and then use ipchains again to masquerade from the wireless access point to the internet connection. Then use some sort of VPN or RADIUS authentication to transfer data between the wireless LAN and the existing wired LAN. Does this sound like a secure idea, or would it be better for me to build a second linux box to masquerade between the wirless access point and the internet connection, providing more discreet hardware seperation between the wired and wireless network?

Thanks in advance for any help you can provide.

Putting a third NIC in the linux-box is probably the best idea if you want to have the wired and the wireless LAN physically seperated. You should have the wireless LAN running in a different subnet and set the linux-box up for routing between the nets.

Such as 192.168.0.0/24 for the wired LAN (eth0)
and 192.168.1.0/24 for the wireless (eth1)

Routing should be like
Destination Gateway Genmask Interface
192.168.0.0 0.0.0.0 255.255.255.0 eth0
192.168.1.0 0.0.0.0 255.255.255.0 eth1
.. and all the other stuff for routing into the internet and the loopback...

This will allow full access between the two subnets.

Your Win-Boxes in the network should have the Linux-box as standard-Gateway.

If you like you can also define some filtering rules between the wired and wireless net using IPChains.

I have heard that there might be issues using multiple passive NICS in one PC... But I don't think this will affect you.

Well, go for it! Steave.

Thanks for your help.. but what sort of issues regarding multiple passive NIC's are we talking about here?

Since passive NICs leave all the work to the CPU I heard of problems with CPU-time. But this was probably two years ago and they were talking about four and more cards, if I remember right.
Might still be an issue if you're using some ancient machine as router. But as active cards are rather expensive I'd give it a shot!
Steave.

Ok, thanks.. shouldn't be a problem for me then, I'll give it a try and let you know how it works.

Is there some sort of VPN package or something similar I can use to allow authenticated traffic to flow from the wireless LAN subnet to the wired LAN subnet or would I have to filter it with creative ipchains rules?

Well, IT WORKED!! I got the third NIC up and running as eth2 (the WAN NIC is eth0 and the wired LAN is on eth1). I then set up ipchains to masquerade from eth1 to eth0 and from eth2 to eth0, but not from eth1 to eth2.

This is exactly what I wanted, now the wireless computers can easily access the Internet, but cannot talk to any of the other pc's on the wired lan and vice versa.

Now at least if someone does happen to hack into my wireless access point, all they will have access to is the Internet, still a problem, but not as bad as allowing anyone to connect to my pc's on the wired LAN.

No all I need is some secure way to authenticate myself to pass traffic back and forth between the wireless lan and the wired lan, and possibly requiring the same authentication to gain access to the Internet from the wireless lan as well.

Thanks again Steave for convincing me this was worth a try.

Concerning routing between the two nets, I think you'll have to be inventive and have a look at the manpages of ipchains for some good filtering options.

Also you don't have to masquerade between the two internal nets, since all the ip's in your local net should be valid for you. You only need Masquerading if you want to have mutiple Computers connect to the internet just using one ip. All you need is a routing rule between the two nets. (see above)

try
# route add 10.0.1.0/24 0.0.0.0 eth2
# route add 10.0.0.0/24 0.0.0.0 eth0
where 10.0.1.x are addresses on your wirless LAN and 10.0.0.x are addresses on your wired one. Now traffic between the two nets should work. - without masquerading-


I don't think VPN is a good option, since you don't need to tunnel any information through public networks.

I guess there's some way of authenticating users and giving them access to your private LAN. Probably you can filter Hardware-Addresses which are unique to each network device. ...

Probably worse a post in the security forum.

Thanks, but I didn't want to add routing between the two nets. I have several computers (linux and win based) on the wired lan, and two laptops on the wireless lan. I wanted the two laptops to have access to the internet but not to have public access to the wired lan.

When I first set it up, both eth1 (wired lan) and eth2 (wireless lan) were successfully masquerading to eth0 (WAN internet connction), but they were also masquerading to each other (eth1 <-> eth2) which is what I was trying to avoid. I had to change my ipchains rules slightly to only allow masquerading to eth0 (with the -i eth0 option in my MASQ rules).

Now the wireless lan and wired lan are physically seperated, but both have access to the Internet conncection through the same single IP address.

I haven't played with VPN before, but was kinda thinking it wouldn't work for this application because as you said, I'm not tunneling through any public nets. Maybe some sort of RADIUS solution then? I'll post it in the security section.

The 802.11b access point already filters hardware addresses by only talking to those MAC addresses specified in the control list, but sniffing for and spoofing a particular MAC address is pretty trivial these days. I don't feel too confident in using MAC address filtering as my only line of defense.

Thanks again for all your help!