CentOS virt - Sep 2015 - OT: adding a wifi adapter to openvswitch

On Thu, Sep 24, 2015 at 2:08 PM, Dmitry E. Mikhailov
<d.mikhailov at infocommunications.ru> wrote:
> On 09/24/2015 04:47 PM, Alvin Starr wrote:
>>
>> Actually I do a similar thing.
>
> Do you?
>
>> I use a VM as my home/office firewall.
>
> If your laptop/server/smth is permanently wired to the internet,
there's no
> problem to bridge this interface to the VM.
>
> But the topic starter wants to connect to the cable or wifi and still have
a
> firewall VM. WiFi client connection with WPA(2) PSK encryption does allow
> only the station's MAC in the air.
>
> Thus topic starter needs some hotplug event scripting, wpa_supplicant being
> started manually, fancy ebtables rules to make it work, some way to notice
> the fw WM that network config changed so it would rerun dhclient. Yea, and
> he should have some GUI/TUI to have it managed. No NetworkManager GUI here.
>
>>
>> It works quite well and I would argue it is as secure as your standard
>> firewall based on something like openWRT running on dedicated hardware.
>
> As aforementioned, it's a bit complicated setup. And if you're
thinking
> security-wise, imagine you need T#r or some fancy VPN to get your job done
> AND due to some miniscule scripting glitch a SINGLE packet would fly out of
> your real IP address - you're busted.
>
> To be self-assured during such an intimate workout, you'd want to have
a
> physical cable to the physical router that's perforing the encryption
job.
> No VPN/T#r/smth - no juice. Simple, bulletproof.
>
>> I also run a wireless AP in bridged mode to allow local network access
>> on an appliance.
>
> Do you connect to the AP wirelessly as the client to have a firewall VM
> running over that WiFi?
>
> Or have you connected the AP via cable to the server/router with fw VM to
> provide connectivity to other clients?
>
>> There should be no reason that you could not put both on the same
>> physical hardware.
>
> You could. But it's hard to use in everyday life of typical usage. If
the
> user is a sysadm/hacker who doesn't mind issuing several commands from
the
> console upon every succesful wifi/wired connection - then welcome!
>
>> As for the openvswitch original question.
>> Openvswitch has an API that you can access to manage your traffic along
>> with supporting Openflow.
>> If you can get events from your wireless interface then you could write
>> some programs to connect to the switch API.
>
> I do want to see a neat solution please. May be I'm just too lazy.
>
Thank you both for your help, I have done another test. I have setup
another laptop with windows 2012 R2 Hyper-V and I have bridged
wireless interface and assigned this bridge to a vm guest, and voila!!
works without problem. Using some powershell scripts, I can change
between SSID's without problems. Easy, really easy. And I don't need
to use WDS features,

I don't understand why it doesn't works with CentOS using the same
approach. I am trying using brctl commands, but it doesn't works also
because wlan0 can't authenticate with AP ...

I know people used Parprouted to help with bridging wired with wireless. Have a
look at it.

--
Sent from the Delta quadrant using Borg technology!

Nux!
www.nux.ro

----- Original Message -----
> From: "C. L. Martinez" <carlopmart at gmail.com>
> To: "Discussion about the virtualization on CentOS"
<centos-virt at centos.org>
> Sent: Thursday, 24 September, 2015 14:52:56
> Subject: Re: [CentOS-virt] OT: adding a wifi adapter to openvswitch
> On Thu, Sep 24, 2015 at 2:08 PM, Dmitry E. Mikhailov
> <d.mikhailov at infocommunications.ru> wrote:
>> On 09/24/2015 04:47 PM, Alvin Starr wrote:
>>>
>>> Actually I do a similar thing.
>>
>> Do you?
>>
>>> I use a VM as my home/office firewall.
>>
>> If your laptop/server/smth is permanently wired to the internet,
there's no
>> problem to bridge this interface to the VM.
>>
>> But the topic starter wants to connect to the cable or wifi and still
have a
>> firewall VM. WiFi client connection with WPA(2) PSK encryption does
allow
>> only the station's MAC in the air.
>>
>> Thus topic starter needs some hotplug event scripting, wpa_supplicant
being
>> started manually, fancy ebtables rules to make it work, some way to
notice
>> the fw WM that network config changed so it would rerun dhclient. Yea,
and
>> he should have some GUI/TUI to have it managed. No NetworkManager GUI
here.
>>
>>>
>>> It works quite well and I would argue it is as secure as your
standard
>>> firewall based on something like openWRT running on dedicated
hardware.
>>
>> As aforementioned, it's a bit complicated setup. And if you're
thinking
>> security-wise, imagine you need T#r or some fancy VPN to get your job
done
>> AND due to some miniscule scripting glitch a SINGLE packet would fly
out of
>> your real IP address - you're busted.
>>
>> To be self-assured during such an intimate workout, you'd want to
have a
>> physical cable to the physical router that's perforing the
encryption job.
>> No VPN/T#r/smth - no juice. Simple, bulletproof.
>>
>>> I also run a wireless AP in bridged mode to allow local network
access
>>> on an appliance.
>>
>> Do you connect to the AP wirelessly as the client to have a firewall VM
>> running over that WiFi?
>>
>> Or have you connected the AP via cable to the server/router with fw VM
to
>> provide connectivity to other clients?
>>
>>> There should be no reason that you could not put both on the same
>>> physical hardware.
>>
>> You could. But it's hard to use in everyday life of typical usage.
If the
>> user is a sysadm/hacker who doesn't mind issuing several commands
from the
>> console upon every succesful wifi/wired connection - then welcome!
>>
>>> As for the openvswitch original question.
>>> Openvswitch has an API that you can access to manage your traffic
along
>>> with supporting Openflow.
>>> If you can get events from your wireless interface then you could
write
>>> some programs to connect to the switch API.
>>
>> I do want to see a neat solution please. May be I'm just too lazy.
>>
> 
> Thank you both for your help, I have done another test. I have setup
> another laptop with windows 2012 R2 Hyper-V and I have bridged
> wireless interface and assigned this bridge to a vm guest, and voila!!
> works without problem. Using some powershell scripts, I can change
> between SSID's without problems. Easy, really easy. And I don't
need
> to use WDS features,
> 
> I don't understand why it doesn't works with CentOS using the same
> approach. I am trying using brctl commands, but it doesn't works also
> because wlan0 can't authenticate with AP ...
> _______________________________________________
> CentOS-virt mailing list
> CentOS-virt at centos.org
> https://lists.centos.org/mailman/listinfo/centos-virt

On 09/24/2015 08:22 PM, Nux! wrote:
> I know people used Parprouted to help with bridging wired with wireless.
Have a look at it.
Somebody already automated the ARP mangling. Brilliant.

I wonder if there's a way to run a script upon every NetworkManager 
connection event.

Topic starter wrote me that he bridged wired and wireless on Windows 
Server 2012 and it works for Hyper-V VM OOTB.

Still hoping to get the ARP table I asked to confirm.