[MLB-WIRELESS] Routing help.

Darren Fulton darren.fulton at team.telstra.com
Tue May 11 10:25:25 EST 2004


Simon Hall wrote:
> How about IPCOP I have heard good raps about it. www.ipcop.org  It has some
> good docco for getting started too.
> 

The latest ipcop 1.4 beta has nice support for ipsec vpns over the 
wireless interface. I've been using it with my AP instead of turning on WEP.

Darren
> Simon Hall
> 
> -----Original Message-----
> From: owner-melbwireless at wireless.org.au
> [mailto:owner-melbwireless at wireless.org.au] On Behalf Of Dan Flett
> Sent: Tuesday, 11 May 2004 12:20 AM
> To: vk3jma at net2000.com.au; 'Melbourne Wireless'
> Subject: RE: [MLB-WIRELESS] Routing help.
> 
> 
> Hi Mark,
> 
> Sounds like you may not even have to worry too much about routing.  If your
> wireless box has only one wireless interface you can put in a static route
> to point at whomever your link partner is and leave it at that.  Hopefully
> they are running Quagga/OSPF to further distribute the wireless traffic.
> 
> You can use 'route' or 'ip' to add static routes.  I'm more familiar with
> 'ip' - it has lots of shortcuts in it's command line - you can type 'r'
> instead of 'route', 'a' instead of 'add' and so on.
> 
> To put in a static route to your link partner for wireless traffic I'd do
> something like
> 
> 'ip r a 10.10.0.0/16 via <link partner's ip addy> dev <wireless NIC>'
> 
> then type 'ip r' to see the routing table.
> 
> I prefer putting in a route like this for all Melbourne wireless traffic
> instead of a default route because your box won't send any traffic intended
> for the internet or your LAN out the wireless interface.  I have no formal
> training in this, but two default routes in the one box seems to cause
> problems for me.
> 
> A firewall is definitely a good idea on your wireless box.  I use Shorewall
> on mine.  But there's a few iptables-based firewalls out there.  Shorewall
> has a feature called 'masquerading' which is basically NAT.  It does a good
> job of making all your devices on your LAN appear on the wireless network to
> have come from your one wireless IP.  We don't wanna see no steenkin'
> 192.168.x.x addys on the wireless network!
> :)
> 
> Shorewall (and other firewalls) allow you to put your network interfaces in
> "zones" and you can apply different port-blocking or port-allowing rules to
> each of them.  It basically acts as a traffic cop - you can allow or
> disallow any traffic on any port in any direction.  Usually you'd have a
> 'wireless' zone, a 'local' zone for your LAN, a 'firewall' zone for the
> router box itself and sometimes a 'DMZ' zone for things like webservers,
> gameservers (if they are on separate boxes) etc which are more open to the
> wide-area-network than you'd want your LAN to be.
> 
> If you do have two wireless interfaces in your box - say one for a
> directional link and one for an AP, you can put them both in the one zone,
> or put them in separate zones if you want to block ports from one to the
> other.  My philosophy is it's a free network and people can send whatever
> traffic they want via my box, so I put them both in the one zone and set a
> default policy of allowing all traffic between them.
> 
> But if you have two wireless interfaces in your box you'll definitely want
> to install Quagga with the OSPF dynamic routing daemon.  It's not too
> difficult, and there's many examples of the setup files in the Melb.
> Wireless Wiki.
> 
> Hope this helps...
> 
> Dan
> 

To unsubscribe: send mail to majordomo at wireless.org.au
with "unsubscribe melbwireless" in the body of the message



More information about the Melbwireless mailing list