d***@123mail.org
2017-03-13 14:13:01 UTC
I'm adding WiFi to my Shorewall router.
In "step 1" (earlier thread) I added a wifi adapter, device == wlan0, to zone == wifi0.
I assigned a unique segment to its DMZ, 10.128.128.0/24, whereas the rest of my LAN is on 10.1.1.0/24.
Using policies I set it up for passthrough access
net wifi0 ACCEPT
wifi0 net ACCEPT
all wifi0 REJECT
wifi0 all REJECT
got DHCP & PING working, and got hostapd running with wlan0.
Now I can log in to the wifi0 zone, get an IP in its segment, and access the net -- bypassing the 'net. Exactly what I wanted.
I learned that hostapd can broadcast multiple SSIDs on a single adapter.
As 'step 2', I want to add a second SSID for login -- but integrated into my LAN, *not* isolated from it.
I configured hostapd so that it creates two 'virtual' interfaces,
wlan0, 10.128.128.0/24
wlan1, 10.2.2.0/24
I want wlan1 'fully integrated' into my LAN -- subject to same access rules, protections etc., while wlan0 still functions exactly as above.
IIUC I can either
(1) put wlan1 on a bridge with my already setup internal ethernet interface
(2) put wlan1 in another DMZ segment, and setup access policies or rules
I understand from docs how I'd do (1).
I want to figure out how to do (2) safely.
If I assign the 2nd interface, wlan1, to a 2nd zone == wifi1, & add policies
net wifi0 ACCEPT
wifi0 net ACCEPT
all wifi0 REJECT
wifi0 all REJECT
$FW $FW ACCEPT
$FW all+ ACCEPT
+ wifi1 $FW ACCEPT
+ lan wifi1 ACCEPT
+ wifi1 lan ACCEPT
will that provide my wifi1-logged-in users full access to the LAN == lan zone, **AND** keep it safely isolated from the 'passthrough' wlan0?
I want to make sure that since 'wlan0' and 'wlan1' are both attached to the same PHYSICAL interface -- on the same adapter, coordinated/assigned by hostapd -- that I'm not somehow re-opening an insecure 'leak' between wlan0 and my LAN, by providing that access to wlan1.
DT
In "step 1" (earlier thread) I added a wifi adapter, device == wlan0, to zone == wifi0.
I assigned a unique segment to its DMZ, 10.128.128.0/24, whereas the rest of my LAN is on 10.1.1.0/24.
Using policies I set it up for passthrough access
net wifi0 ACCEPT
wifi0 net ACCEPT
all wifi0 REJECT
wifi0 all REJECT
got DHCP & PING working, and got hostapd running with wlan0.
Now I can log in to the wifi0 zone, get an IP in its segment, and access the net -- bypassing the 'net. Exactly what I wanted.
I learned that hostapd can broadcast multiple SSIDs on a single adapter.
As 'step 2', I want to add a second SSID for login -- but integrated into my LAN, *not* isolated from it.
I configured hostapd so that it creates two 'virtual' interfaces,
wlan0, 10.128.128.0/24
wlan1, 10.2.2.0/24
I want wlan1 'fully integrated' into my LAN -- subject to same access rules, protections etc., while wlan0 still functions exactly as above.
IIUC I can either
(1) put wlan1 on a bridge with my already setup internal ethernet interface
(2) put wlan1 in another DMZ segment, and setup access policies or rules
I understand from docs how I'd do (1).
I want to figure out how to do (2) safely.
If I assign the 2nd interface, wlan1, to a 2nd zone == wifi1, & add policies
net wifi0 ACCEPT
wifi0 net ACCEPT
all wifi0 REJECT
wifi0 all REJECT
$FW $FW ACCEPT
$FW all+ ACCEPT
+ wifi1 $FW ACCEPT
+ lan wifi1 ACCEPT
+ wifi1 lan ACCEPT
will that provide my wifi1-logged-in users full access to the LAN == lan zone, **AND** keep it safely isolated from the 'passthrough' wlan0?
I want to make sure that since 'wlan0' and 'wlan1' are both attached to the same PHYSICAL interface -- on the same adapter, coordinated/assigned by hostapd -- that I'm not somehow re-opening an insecure 'leak' between wlan0 and my LAN, by providing that access to wlan1.
DT