[MLB-WIRELESS] IP Tables.

Wed Apr 6 14:12:11 EST 2005

>Ok,
>
>So I need to setup my p2-333 with SHOREWALL maybe ?

You could do it that way. Here's another:

Instead of bringing everything into a single routing box continue to treat 
both your external interfaces as separate connections.

1. Your Internet connection is already firewalled and doing everything you 
need it to do through the  Netgear DG814 aDSL Modem/Router.

2. Separate the MW part of your node from your private stuff. It sounds like 
you have set up a private  LAN with a couple of segments - routed via 
wireless. If you want to make the wireless part "public" then think about 
having a router/firewall between the (local) part of your private LAN and 
the wireless stuff ( becomes a public segment with multiple wireless 
interfaces)

3. Use your WRT54G to connect between your private segment and the new 
wireless public segment. Set up the firewall on the WRT to protect your 
private stuff in the same way as you set up the firewall on the DSL side - 
block all incoming  except those services you want to forward to specific 
servers.

4.  Use Melb Wireless IP addresses for all the inter node set-up.  To extend 
your private network between your nodes you now need to traverse the public 
space, use some VPN type software or set up encrypted tunnels through the 
public space ( I use ssh tunnels like this across the internet between Melb, 
San Francisco and Austin).

--- sidebar ---
My node is set up this way - 
http://www.melbournewireless.org.au/wiki/?NodeHYA

I'm not as advanced as you are with connections or extending the private 
segment across the public space but I don't see why it wouldn't work.

You will notice that I have a physical public segment outside the firewall, 
it's effectively a dmz  zone where I can put servers if I want/need to 
rather than contacting them using port forwarding.  I have my second WRT 
connected to my private segment via the WAN port.

--- end sidebar ---

or - do something simpler ....

OK - so that's the physical connection side. Next you need to think about 
your routes.

In your private space you  need to be able to resolve 3 address groups, 
parts of your private space, the Internet and Mebl wireless.  Your default 
route will probably stay being the DSL router.  The VPN endpoints will pick 
up the routes for the remote parts of your private space and you set the WRT 
to be the default route for any 10.10.0.0 traffic.

In your public space (the MW side ) you will need to set up routing to get 
traffic to the right adjacent nodes. That's where the RIP / OSPF type 
configuration comes into it, or if you are configuring the Node that is on 
the edge of your control BGP.

Sorry, too much Alphabet soup.

Bring this up at the meeting on Friday when you get there, it's a great 
discusion topic. Perhaps we could collectively white board a couple of 
solutions and use the combined wisdom to come up with the simplest / most 
effective.

To unsubscribe: send mail to majordomo at wireless.org.au
with "unsubscribe melbwireless" in the body of the message