I''m ready to take the wireless plunge. My daughter purchased a
wireless
laptop and I have a Cisco AP350.
Because of wiring considerations, the best I can do is place the Cisco AP
next to a patch panel that only has access to my "LOC" lan. I read
the
2-interface documentation and see that Tom''s suggestion is for another
NIC
in the firewall box... Sigh, I can''t open walls again, so.. what I
have...
big bad internet
|
|
shorewall 1 box ===> DMZ (http, https, mail, ftp)
|
|
shorewall 2 box ===> Work
|
|=== Various "loc"
|
HUB/Switch (that I can plug the cisco into)
|
|
Everything Else "loc"
My current "loc" is 10.10.10.nn So could I accomplish the same
desired
result (going into the shorewall 2 box) by giving the 350 AP 10.10.11.nn
? But I then don''t get to use the maclist option unless I want to
define every computer...What am I missing ? Suggestions appreciated and
desired... And, no, I don''t want to supply any neighbors with
Internet/LAN access.
With a lot of work, aggravation, and lectures from my wife...I could add
another NIC to the shorewall 2 box - but it sure is NOT desirable.
- Bill
Sufficiently Talented Fool
Bill.Light@kp.org wrote:> I''m ready to take the wireless plunge. My daughter purchased a wireless > laptop and I have a Cisco AP350. > > Because of wiring considerations, the best I can do is place the Cisco AP > next to a patch panel that only has access to my "LOC" lan. I read the > 2-interface documentation and see that Tom''s suggestion is for another NIC > in the firewall box... Sigh, I can''t open walls again, so.. what I > have... > > big bad internet > | > | > shorewall 1 box ===> DMZ (http, https, mail, ftp) > | > | > shorewall 2 box ===> Work > | > |=== Various "loc" > | > HUB/Switch (that I can plug the cisco into) > | > | > Everything Else "loc" > > > My current "loc" is 10.10.10.nn So could I accomplish the same desired > result (going into the shorewall 2 box) by giving the 350 AP 10.10.11.nn > ? But I then don''t get to use the maclist option unless I want to > define every computer...What am I missing ? Suggestions appreciated and > desired... And, no, I don''t want to supply any neighbors with > Internet/LAN access. > > With a lot of work, aggravation, and lectures from my wife...I could add > another NIC to the shorewall 2 box - but it sure is NOT desirable.Does the topology that I use work better for you (http://shorewall.net/myfiles.htm)? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Bill.Light@kp.org wrote:> I''m ready to take the wireless plunge. My daughter purchased a wireless> laptop and I have a Cisco AP350. > > Because of wiring considerations, the best I can do is place the CiscoAP> next to a patch panel that only has access to my "LOC" lan. I read the> 2-interface documentation and see that Tom''s suggestion is for anotherNIC> in the firewall box... Sigh, I can''t open walls again, so.. what I > have... > > big bad internet > | > | > shorewall 1 box ===> DMZ (http, https, mail, ftp) > | > | > shorewall 2 box ===> Work > | > |=== Various "loc" > | > HUB/Switch (that I can plug the cisco into) > | > | > Everything Else "loc" > > > My current "loc" is 10.10.10.nn So could I accomplish the samedesired> result (going into the shorewall 2 box) by giving the 350 AP10.10.11.nn> ? But I then don''t get to use the maclist option unless I want to > define every computer...What am I missing ? Suggestions appreciatedand> desired... And, no, I don''t want to supply any neighbors with > Internet/LAN access. > > With a lot of work, aggravation, and lectures from my wife...I could add> another NIC to the shorewall 2 box - but it sure is NOT desirable.Does the topology that I use work better for you (http://shorewall.net/myfiles.htm)? -Tom I like your topo, and I had wished I had followed it when I had the open walls. The problem, if I''m looking at your setup, is the same as the two NIC example wookie has 3 NIC''s - one devoted to the WAP11 and that''s the part that will be an aggravation to get working. I was debating something like a 1-to-1 routing from 10.10.10.101 (the Cisco IP address) to accept 10.10.11.nn dhcp tokens ? I haven''t yet looked at the Cisco configuration - so I''m probably way out in left field. - Bill
Tom Eastep wrote:> > Does the topology that I use work better for you > (http://shorewall.net/myfiles.htm)? >That is to say, do you have another Linux box that you could have do double duty as a bridge? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Bill.Light@kp.org wrote:> | > Everything Else "loc" > > > My current "loc" is 10.10.10.nn So could I accomplish the same desired > result (going into the shorewall 2 box) by giving the 350 AP 10.10.11.nn > ? But I then don''t get to use the maclist option unless I want to > define every computer...What am I missing ?Can''t the 350 do it''s own MAC validation? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Bill.Light@kp.org wrote:> > > I like your topo, and I had wished I had followed it when I had the open > walls. The problem, if I''m looking at your setup, is the same as the two > NIC example wookie has 3 NIC''s - one devoted to the WAP11 and that''s the > part that will be an aggravation to get workingBut that isn''t a requirement -- any local linux system that can accomodate another NIC can serve as the bridge. It doesn''t have to be your Firewall 2. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Bill.Light@kp.org wrote:> | > Everything Else "loc" > > > My current "loc" is 10.10.10.nn So could I accomplish the samedesired> result (going into the shorewall 2 box) by giving the 350 AP10.10.11.nn> ? But I then don''t get to use the maclist option unless I want to > define every computer...What am I missing ?Can''t the 350 do it''s own MAC validation? -Tom ========================================== According to cisco.com, it looks like under "security/authentication" it says: MAC address and by standard 802.11 authentication mechanisms So it looks like more reading about the 350 may be in order before I proceed. - Bill
Bill.Light@kp.org wrote:> > > I like your topo, and I had wished I had followed it when I had the open> walls. The problem, if I''m looking at your setup, is the same as thetwo> NIC example wookie has 3 NIC''s - one devoted to the WAP11 and that''sthe> part that will be an aggravation to get workingBut that isn''t a requirement -- any local linux system that can accomodate another NIC can serve as the bridge. It doesn''t have to be your Firewall 2. -Tom ================================== OK - that helps...but the problem... I set up the AP & patch panel on a shelf in a closet, no nearby PC''s So I could add a NIC to one of the PC''s at the server "cluster" (using terms very loosely), and move the Cisco out of the closet that I had set up for it...sigh. BTW - what''s the matter with tin-foil in the family room ;--) de WB6NAC - Bill
Bill.Light@kp.org wrote:> > I like your topo, and I had wished I had followed it when I had the open > walls. The problem, if I''m looking at your setup, is the same as the two > NIC example wookie has 3 NIC''s - one devoted to the WAP11 and that''s the > part that will be an aggravation to get working. I was debating > something like a 1-to-1 routing from 10.10.10.101 (the Cisco IP address) > to accept 10.10.11.nn dhcp tokens ? I haven''t yet looked at the Cisco > configuration - so I''m probably way out in left field. >While APs have an IP address, they generally behave as a bridge rather than as a router. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net