Access point question
Eric Weaver
connections only to a particular address or subnet?
Thanks...
John R Pierce
>Does anyone know of a model of access point that can be configured to allow
>connections only to a particular address or subnet?
if by access point, you mean a wireless access point, no, they function as
simple ethernet bridges. sounds like you want the WAP connected to a
firewall which can implement your access restrictions.
Roy
Anthony Guzzi
Well, the wireless access point will always be open for anyone to
connect to, but right on the other side of that, if you were to say, put
a cisco router, and then set up a custom access list...
I don't know of a consumer-level router that has something like an
access list.
Bill Beeman
"John R Pierce" <sp...@is.invalid> wrote in message
news:d394d01b9ooahgk6l...@news.lmi.net...
Correct, but you can program Linksys APs to restrict access to pre-selected
MAC addresses.
I think this capability is in other APs also. Not nearly so handy as IP or
subnet restrictions, but
it's there.
Bill
>
Jeff Liebermann
wrote:
>Does anyone know of a model of access point that can be configured to allow
>connections only to a particular address or subnet?
Questions:
1. Do you mean "access point" as in wireless bridge, or do you
include wireless routers? Bridges do not know anything about IP
addresses while routers know all about IP addresses.
2. What are you trying to accomplish? Block by access to the
wireless bridge/router, or block access to the internet from the LAN
port?
Each manufacturer seems to have their own idea of what constitutes
"filtering". For example, my home router for this week is a Linksys
BEFW11S4v3 (firmware 1.50.14) which can do:
-Block access from the LAN to the internet by MAC or
IP and for specific IP port numbers.
-Restrict access from wireless users by MAC address only.
(50 addresses max)
Most (cheap) wireless routers that I've seen will do these. Again,
the wireless port is a bridge, which knowns nothing of IP addresses
and can only filter by MAC address. The router part knows all about
IP addresses and can filter by IP or MAC.
None of the cheap wireless routers can throttle instead of filtering.
However, the various WRT54G(S) series of bridges and routers run
Linux, and can have their firmware replaced by an open source version.
http://www.seattlewireless.net/index.cgi/LinksysWrt54g
http://www.sveasoft.com/modules/phpBB2/index.php
Adding Snort (intrusion detection) to the router allows one to
throttle by port number which is handy for dealing with obnoxious
users in an internet coffee shop environment.
I can recommend specific routers or bridges after you disclose what
you are trying to accomplish.
--
Jeff Liebermann je...@comix.santa-cruz.ca.us
150 Felker St #D 831-336-2558
Santa Cruz CA 95060 AE6KS
admin too
"Eric Weaver" <we...@sigma.net> wrote in message
news:40d1f16d$1...@news.announcetech.com...
> Does anyone know of a model of access point that can be configured to
allow
> connections only to a particular address or subnet?
>
From the responses I think there is some confusion (or maybe it's just me)
as to whether you mean connections through the AP to a particular
destination address or subnet or if you are trying to prevent access to the
AP. I'm going to guess the prior because all my Cisco AP's work as bridges
and hand out IP addresses from my DHCP servers. Recently I've setup Linksys
router/AP's and this may be what you're driving at is the Linksys can block
specific sites but they cannot block all sites and allow access to only the
ones you want. There must be some higher end AP's with real firewalls (i.e
with "explicit deny" type of access) lists but I never really looked.
Steve Pope
> Correct, but you can program Linksys APs to restrict access to
> pre-selected MAC addresses. I think this capability is in other
> APs also.
yep
> Not nearly so handy as IP or subnet restrictions, but it's
> there.
Um... dumb question but aren't IP addresses assigned to the
clients through the AP in the first place? What would it mean
for the AP to be restricting based on IP?
Steve
Eric Weaver
On the wired side, I mean. "Destination" addresses.
John R Pierce
wrote:
I think the best approach to this would be to put the access point(s) on a
dedicated subnet off the firewall which implemented the restriction. If
the firewall is a unix type system, add an ethernet card, configure it as
a different private subnet, and setup the routing rules appropriately in
whatever firewall package you use (iptables in linux2.4, or natd in bsd,
or whatever).
this kind of thing is often done to force Wifi users to use VPN to connect
to other resources.
Jeff Liebermann
wrote:
>I think the best approach to this would be to put the access point(s) on a
>dedicated subnet off the firewall which implemented the restriction.
Think again. That will restrict access from the Wireless to the LAN,
network, WAN, ISP, or whatever. However, it will not prevent the
local gamers from turning your access point into their private packet
repeater and hogging all its airtime and bandwidth. (No, I won't
explain how to do this). To prevent this, you gotta block by MAC
address, WEP, WPA, or whatever, to prevent a wireless user from
"associating" with the access point.
>If
>the firewall is a unix type system, add an ethernet card, configure it as
>a different private subnet, and setup the routing rules appropriately in
>whatever firewall package you use (iptables in linux2.4, or natd in bsd,
>or whatever).
Meanwhile, the barbarians are pounding on the wireless gate. They're
not getting into the LAN or WAN, but they sure can do a bunch of
damage on the wireless side.
>this kind of thing is often done to force Wifi users to use VPN to connect
>to other resources.
You can use the force, but the dark side usually comes back in the
sequel.
--
# Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
# 831.336.2558 voice http://www.LearnByDestroying.com
# je...@comix.santa-cruz.ca.us
# 831.421.6491 digital_pager je...@cruzio.com AE6KS
Anthony Guzzi
Nope. An AP is a bridge, and therefore "dumb". It does not hand out IP
addresses, technically that is the job of a DHCP server, in most cases
that software is incorporated into the software of a router, thought it
does not have to be, before the age of good routers, that was the job of
dedicated computers.
ka...@sonic.net
wrote:
>Steve Pope wrote:
>> Bill Beeman <bbe...@beemangroup.com> wrote:
>>
>>
>>>Correct, but you can program Linksys APs to restrict access to
>>>pre-selected MAC addresses. I think this capability is in other
>>>APs also.
>>
>>
>> yep
>>
>>
>>>Not nearly so handy as IP or subnet restrictions, but it's
>>>there.
>>
>>
>> Um... dumb question but aren't IP addresses assigned to the
>> clients through the AP in the first place? What would it mean
>> for the AP to be restricting based on IP?
>>
>> Steve
>
>
>Nope. An AP is a bridge, and therefore "dumb". It does not hand out IP
>addresses, technically that is the job of a DHCP server,
... which is built into many access points, no?
John R Pierce
>>Nope. An AP is a bridge, and therefore "dumb". It does not hand out IP
>>addresses, technically that is the job of a DHCP server,
>
> ... which is built into many access points, no?
no. DHCP servers are built into consumer ROUTERS which are really NAT
firewalls. WAPs are by definition a bridge, and have no such thing.
Philip J. Koenig
R Pierce) writes...
Since most consumers today tend to buy devices which are WAP/
router/NAT-box combinations (in particular because such devices
are not only no longer more expensive than plain WAPs, but often
cheaper), I think that the term "WAP" is often mistakenly associated
with such devices.
--
* Few people are capable of expressing with equanimity opinions which *
* differ from the prejudices of their social environment. Most people are *
* even incapable of forming such opinions. -- Albert Einstein *
* *
* To send email, remove numbers and spaces: pjkusenet64 @ ekahuna27 . com *
* Simple answers are for simple minds. Try a new way of looking at things. *
ka...@sonic.net
wrote:
Ahh, thanks. I should pay more attention to details.