IPSEC wireless router ?

Archived from groups: comp.sys.ibm.pc.hardware.chips (More info?)

I am looking for something secure:
hardware wireless router:

- une ethernet port dedicated to provider (DHCP and PPPOE capable)
- one LAN port which would be linked to some switch
- wireless repeter

BUT but BUT: I want the wireless interface NOT TO BE BRIGED to LAN ethernet, but
rather require any client to use IPSEC tunneling.

Thats for home use; I am too lame to set linux box, because I dont feel liike
setting up an IPSEC server, and had too much bad XP with IDE disks on home made
router (usually crash after 2 or 3 years 24/24).

I hope such a device should be available between 150 and 300 e

Maybe there is some tutorials to convert this way some Linksys WRT ?
or some Dlink with such native support ?

--
DEMAINE Benoit-Pierre (aka DoubleHP ) http://www.demaine.info/
\_o< If computing were an exact science, IT engineers would not have work >o_/
37 answers Last reply
More about ipsec wireless router
  1. Archived from groups: comp.sys.ibm.pc.hardware.chips (More info?)

    On Sat, 24 Sep 2005 15:33:55 +0200, DEMAINE Benoit-Pierre
    <nntp_pipex@demaine.info> wrote:

    >I am looking for something secure:
    >hardware wireless router:
    >
    >- une ethernet port dedicated to provider (DHCP and PPPOE capable)
    >- one LAN port which would be linked to some switch
    >- wireless repeter
    >
    >BUT but BUT: I want the wireless interface NOT TO BE BRIGED to LAN ethernet,

    Not possible. 802.11 wireless is bridging by definition. No routing,
    IP addresses, or services (such as IPSec) involved. There's no other
    way to connect between wireless and wired devices other than bridging.

    Now, you could isolate the wired and wireless part with a router, VPN,
    or filters, but that requires layer 3 services in addition to
    bridging.

    >but
    >rather require any client to use IPSEC tunneling.

    Overkill. You have WPA encryption for the wireless. On top of that,
    you want to add VPN encryption. You don't really need both. WPA is
    enough.

    >Thats for home use; I am too lame to set linux box, because I dont feel liike
    >setting up an IPSEC server, and had too much bad XP with IDE disks on home made
    >router (usually crash after 2 or 3 years 24/24).

    The bigger they are, the harder they crash. How about this
    alternative? Use an access point, not a wireless router for the
    wireless part of the puzzle. Use WPA encryption. Use a seperate
    IPSec VPN router to terminate the tunnel. Netgear seems to have a
    good selection:
    | http://www.netgear.com/products/business/prod_vpnrouter_wired_security_sb.php
    There are lots of other wired VPN routers to chose from at around
    $100US. If you want your VPN termination, it's in the box. This will
    also allow you to be rather creative in locating the wireless access
    point and allow easy upgrades to the latest 802.11 acronyms.

    There are products that sorta do what you want:
    | http://www.netgear.com/products/details/FWAG114.php
    | http://www.sonicwall.com/products/tz170SP_wireless.html
    I don't think you'll like the prices.

    >I hope such a device should be available between 150 and 300 e
    >
    >Maybe there is some tutorials to convert this way some Linksys WRT ?
    >or some Dlink with such native support ?

    Yes. The WRT54G can handle alternative firmware with VPN termination
    features. Sveasoft Alchemy includes PPTP VPN services which is handy
    for Windoze clients as it comes with the operating system. IPSec is
    available in various custom builds. I'm too lazy to find these. Bug
    me if you need URL's.


    --
    Jeff Liebermann jeffl@comix.santa-cruz.ca.us
    150 Felker St #D http://www.LearnByDestroying.com
    Santa Cruz CA 95060 http://802.11junk.com
    Skype: JeffLiebermann AE6KS 831-336-2558
  2. Archived from groups: comp.sys.ibm.pc.hardware.chips (More info?)

    > I am looking for something secure:
    > hardware wireless router:

    I know where you're going with that but why? You can use WPA on a
    WRT54G as long as your clients support it and given a strong password,
    that's going to suit pretty much all home users.

    IPSec has limitations too, how were you planning on authenticating?
    Which EAP type were you going to use? EAP-MD5 for example is easily
    dictionary crackable for example.

    David.
  3. Archived from groups: comp.sys.ibm.pc.hardware.chips (More info?)

    DEMAINE Benoit-Pierre <nntp_pipex@demaine.info> wrote in
    news:43353ab0$0$24372$626a14ce@news.free.fr:

    > I am looking for something secure:
    > hardware wireless router:
    >
    > - une ethernet port dedicated to provider (DHCP and PPPOE capable)
    > - one LAN port which would be linked to some switch
    > - wireless repeter
    >
    > BUT but BUT: I want the wireless interface NOT TO BE BRIGED to LAN
    > ethernet, but rather require any client to use IPSEC tunneling.
    >
    > Thats for home use; I am too lame to set linux box, because I dont
    > feel liike setting up an IPSEC server, and had too much bad XP with
    > IDE disks on home made router (usually crash after 2 or 3 years
    > 24/24).
    >
    > I hope such a device should be available between 150 and 300 e
    >
    > Maybe there is some tutorials to convert this way some Linksys WRT ?
    > or some Dlink with such native support ?
    >

    I don't think you can do what you want. You can use an IPSEC tunnel
    between computers through the O/S such as Win 2K, XP and etc and that's a
    VPN solution software to software, you can have a software VPN client on
    a client machine with server software VPN implemented on a device such as
    a firewall appliance or a er such as a Watchguard or others that fall
    into that category such a Sonicwall, Cisco and others, software client to
    server host VPN solutions such as AT&T Extranet or you can have hardware
    to hardware VPN solution router to router.

    http://www.homenethelp.com/vpn/

    But some kind of a VPN solution between the wireless gateway device such
    as a NAT router and your wireless machines on the LAN is questionable.
    Maybe, a VPN solution with a wireless Watchguard FW appliance or others
    and its client VPN software solution on the machines may work to protect
    a wireless LAN situation between the gateway device and the clients I
    don't know.

    You can checkout the WG X5 series I think that's around $300 but the VPN
    on the client machines cost extra and you can checkout others too

    Duane :)
  4. Archived from groups: comp.sys.ibm.pc.hardware.chips (More info?)

    I just want you to know that I am sitting out here in and Extended stay inn
    using a dial-up direct connection to the Internet. Before implementing
    Analogx's IPsec Secpol rules for configuring IPsec to act in a firewall like
    mannerism, BlackIce was sounding off and blocking unsolicited inbound
    traffic. I have not been on a dial-up connection with a machine in several
    years and was surprised at the number of probes, scans and attacks being ran
    against the machine such as MS SQL Server, RPC, *NetBIOS*, etc, which BI was
    blocking and logging and alerting on things such as O/S Fingerprinting. And
    I have some vulnerable applications running such as IIS and SQL Server.

    However, since implementing IPsec on the XP Pro machine and activating the
    Analogx's SecPol rules with making adjustments in the rules like allowing
    SMTP on TCP port 587, because EarthLink uses port 587 and not 25 and
    configuring AnalogX's rules to block all the Windows Networking ports and
    other ports IPsec protects by default such as TCP 135 only allowing traffic
    in a LAN situation, BlackIce has not log anything in the logs, barked,
    whined, or alerted with IPsec supplementing BI.

    I was using BI and IPsec to supplement the no FW Linksys NAT router I was
    using. But until now, I was not aware of how powerful of a solution IPsec is
    and its ability to be used in a FW like manner to stop inbound or outbound
    traffic by port, protocol or IP and nothing is coming past it *NOTHING*
    which would make BlackIce react.

    I am very impressed with IPsec and its ability to supplement in a FW like
    manner. <g>

    http://www.petri.co.il/block_ping_traffic_with_ipsec.htm
    http://www.analogx.com/contents/articles/ipsec.htm
    http://support.microsoft.com/kb/813878

    But just keep in mind I am not a guru like you are, and therefore, you can
    kiss my *ASS* about IPsec and anything else for that matter with your
    *tounge* hanging out. <vbg>
  5. Archived from groups: comp.sys.ibm.pc.hardware.chips (More info?)

    > using. But until now, I was not aware of how powerful of a solution IPsec is
    > and its ability to be used in a FW like manner to stop inbound or outbound
    > traffic by port, protocol or IP and nothing is coming past it *NOTHING*
    > which would make BlackIce react.

    It's not new Duane. All you're doing is blocking traffic by port. I'm
    surprised that it's new to you.

    The main advantage of IPSec is the Sec part, i.e. security. Simply
    creating filters and a filter action like you are doing is the very very
    simplest start. What the original poster wanted was security which to
    do properly requires a PKI implementation. Then you get mutual
    authentication and encryption, none of which you have right now.

    > I am very impressed with IPsec and its ability to supplement in a FW like
    > manner. <g>

    Being doing that for ages, it's not new but it does have value, it's
    just not the friendliest interface for noddies to configure and it
    doesn't provide any stateful inspection or application inspection but
    yes, if all you want to do is set up block/allow filters, it's fine.

    > But just keep in mind I am not a guru like you are, and therefore, you can
    > kiss my *ASS* about IPsec and anything else for that matter with your
    > *tounge* hanging out. <vbg>

    No need but keep reading, you'll learn as you go along. It fascinates
    me why you post what you do sometimes.

    Just remember, IPSec is an IP only solution, if you have NWLink or
    NetBEUI installed and bound, you might just as well hand your PC over to
    Mr Hacker.

    David.
  6. Archived from groups: comp.sys.ibm.pc.hardware.chips (More info?)

    David Taylor wrote:
    >>I am looking for something secure:
    >>hardware wireless router:
    >
    >
    > I know where you're going with that but why? You can use WPA on a
    > WRT54G as long as your clients support it and given a strong password,
    > that's going to suit pretty much all home users.

    Even if I buy WPA APs, few clients have it yet

    WPA is not down compatible with 802.11b ... IPSEC is with any wireless card and any
    OS ... and will remain secure as long as SSL is not broken, when optimists people
    think than WPA will be broken within 12 months.

    I am not to buy for WPA which will soon be weak.

    > IPSec has limitations too, how were you planning on authenticating?
    > Which EAP type were you going to use? EAP-MD5 for example is easily
    > dictionary crackable for example.

    exchange of primary key can be done by email the day before my customer joins me, or
    the first day using transparent proxy that allows access only to HTTPS webmails ...

    or just hand in hand (aka oral confirmation that the signature of the key is really
    mine).

    IPSEC cant be weaker than WPA, simply because like WEP, WPA is limitted by hardware,
    and broken proto means you can throught out your devices, when IPSEC can be upgraded
    even on old machines, and keeps the network compliant with any other devices.

    --
    DEMAINE Benoit-Pierre (aka DoubleHP ) http://www.demaine.info/
    \_o< If computing were an exact science, IT engineers would not have work >o_/
  7. Archived from groups: comp.sys.ibm.pc.hardware.chips (More info?)

    > I am very impressed with IPsec and its ability to supplement in a FW like
    > manner. <g>

    IPSEC just rules where most other protos just sux.

    ATM I never seted it up myself, but from tutos I have read, it way non-trivial to
    set up (server side), but really claimed by every one to be highly secure, and may
    be the only known REALLY secure layer to encapsulate VPNs.

    --
    DEMAINE Benoit-Pierre (aka DoubleHP ) http://www.demaine.info/
    \_o< If computing were an exact science, IT engineers would not have work >o_/
  8. Archived from groups: comp.sys.ibm.pc.hardware.chips (More info?)

    DEMAINE Benoit-Pierre <nntp_pipex@demaine.info> wrote in
    news:43361cb9$0$22382$626a14ce@news.free.fr:

    >> I am very impressed with IPsec and its ability to supplement in a FW
    >> like manner. <g>
    >
    > IPSEC just rules where most other protos just sux.
    >
    > ATM I never seted it up myself, but from tutos I have read, it way
    > non-trivial to set up (server side), but really claimed by every one
    > to be highly secure, and may be the only known REALLY secure layer to
    > encapsulate VPNs.
    >

    It's simple with the AnalogX rules that can be implemeted on the Win 2K,
    XP and the Win 2K3 O/S(s). All one does is enable or disable the IPsec
    rules say for instance for the HTTP server/client, SMTP server/client,
    NNTP server/client etc, etc and edit those rules and see what's being
    done and learn from them. Again it's a piece of cake even I can do it.
    ;-)

    Duane :)
  9. Archived from groups: comp.sys.ibm.pc.hardware.chips (More info?)

    could you stop trolling and talk about avaibale wireless IPSEC DEVICES ?

    btw: clients will be Linux and BSDs laptops ...
    so that even pentium (1) 150MHz with PCMCIA1 802.11b adapters can still benefit of
    my secure wireless network, witout need of those PCMCIA2 cards (which are not
    supported by old lappies), nor need of OS that require 256MB or even 2GB just to
    install ...

    IPSEC support can be added to 8 years old BSD laptops !!!

    --
    DEMAINE Benoit-Pierre (aka DoubleHP ) http://www.demaine.info/
    \_o< If computing were an exact science, IT engineers would not have work >o_/
  10. Archived from groups: comp.sys.ibm.pc.hardware.chips (More info?)

    DEMAINE Benoit-Pierre <nntp_pipex@demaine.info> wrote in
    news:43361ddf$0$8933$626a14ce@news.free.fr:

    > could you stop trolling and talk about avaibale wireless IPSEC DEVICES
    > ?
    >
    > btw: clients will be Linux and BSDs laptops ...
    > so that even pentium (1) 150MHz with PCMCIA1 802.11b adapters can
    > still benefit of my secure wireless network, witout need of those
    > PCMCIA2 cards (which are not supported by old lappies), nor need of OS
    > that require 256MB or even 2GB just to install ...
    >
    > IPSEC support can be added to 8 years old BSD laptops !!!
    >

    Well, SuSe Linux that I use is using about that much RAM and disk space
    just to install. And I am not into mix, blend and roll your own.

    Well, you have to have to valid end points I don't care what O/S you're
    using. The VPN end points must be client to server software solutions. Or
    you can install the VPN client software solution on a machine and install
    the server solution as part of the firmware of a low-end wireless
    firewall appliance. But I don't think the VPN will apply for a LAN
    situation period wired or wireless and is only for remote connections
    over the Internet with a client machine. However, you'll need to check on
    it. The other VPN solution is hardware to hardware -- router to router.

    The only thing you might be able to do is an AD-HOC wireless solution on
    a gateway computer with wireless client machines using IPsec on the
    gateway server machine between the client machines.

    I don't think you're going to find a hardware VPN solution for the
    wireless machines on the LAN.

    Duane :)
  11. Archived from groups: comp.sys.ibm.pc.hardware.chips (More info?)

    some of my friends even use IPSEC on wired LAN ... just in case some one spies their
    LAN after hacking the gateway ...

    atm, I /just/ want to secure wireless part of my home.

    --
    DEMAINE Benoit-Pierre (aka DoubleHP ) http://www.demaine.info/
    \_o< If computing were an exact science, IT engineers would not have work >o_/
  12. Archived from groups: comp.sys.ibm.pc.hardware.chips (More info?)

    DEMAINE Benoit-Pierre <nntp_pipex@demaine.info> wrote in
    news:43361e4a$0$8933$626a14ce@news.free.fr:

    > some of my friends even use IPSEC on wired LAN ... just in case some
    > one spies their LAN after hacking the gateway ...
    >
    > atm, I /just/ want to secure wireless part of my home.
    >

    Well, there is nothing to say that one cannot hack the wireless and get to
    the wire LAN machines or hack the wire ones and get to the wireless ones on
    the LAN. That's if you come right down to it.:)

    Duane :)
  13. Archived from groups: comp.sys.ibm.pc.hardware.chips (More info?)

    >>BUT but BUT: I want the wireless interface NOT TO BE BRIGED to LAN ethernet,
    >
    >
    > Not possible. 802.11 wireless is bridging by definition. No routing,
    > IP addresses, or services (such as IPSec) involved. There's no other
    > way to connect between wireless and wired devices other than bridging.

    are you sure ? then, what is my hand setted up gateway doing ???

    - 3 NICs
    - 1 Wireless adapter ...

    4 IPs
    and clients on any network can not even ping any other IP than the NIC of my gateway
    it is connected to ... not even the IP of wireless card if he is on wired NIC ...

    what happens is that for simplicity, and dummy compliance, all manifacturers do
    brige wireless to wired ... BUT on all firewalling tutos, you will find that this
    kind of briging DO require to be activated ... aka is NOT available before you
    explicitely ask for it.

    I already DID set up routing, and/or briging on x86 boxes ...

    my actual question is: do any hardware router do that including IPSEC ?

    > Now, you could isolate the wired and wireless part with a router, VPN,
    > or filters, but that requires layer 3 services in addition to
    > bridging.

    that would mean set up a dedicated gateway between wired and wireless, which would
    decrypt IPSEC connections; that is precisely what I am too lame to do myself.

    > Overkill. You have WPA encryption for the wireless. On top of that,
    > you want to add VPN encryption. You don't really need both. WPA is
    > enough.

    WPA is hardware encryption: next year it will be broken = next year I can buy a new
    router, and ask all my clients to buy new cards ...

    All we know about WPA is that it was secure yesterday ... and that when some one
    breaks it, you learn about it on forums only 6 months after all teenagers already
    craked company networks ...

    In france, such security breaches can lead people to jail, even put in jail the one
    who have been attacked.

    > The bigger they are, the harder they crash. How about this
    > alternative? Use an access point, not a wireless router for the
    > wireless part of the puzzle. Use WPA encryption. Use a seperate
    > IPSec VPN router to terminate the tunnel. Netgear seems to have a
    > good selection:

    - depends on (weak) WPA
    - depends on an additional box

    => twice more storage device + spinning disk + 2 systems + 2 supplies = 4 times more
    reasons to crash.

    and my problem is that IWANT TO AVOID SETTING UP MANUALLY THE IPSEC SERVER.

    > There's no other
    > way to connect between wireless and wired devices other than bridging.

    looks like you missed a point: I never said I want my networks to be in the same IP
    ranges ... would any admin want to keep in the same range all computers of the
    building ? who would be mad enough to try to keep transparent briging between all
    computers ? who would try to interconnect more than 1000 computers on the same segment ?

    Even at home, it is out of order to have wireless in the same IP range that wired LAN.

    Honney pots will fill holes

    DHCP+DNS will make things transparent for users.

    --
    DEMAINE Benoit-Pierre (aka DoubleHP ) http://www.demaine.info/
    \_o< If computing were an exact science, IT engineers would not have work >o_/
  14. Archived from groups: comp.sys.ibm.pc.hardware.chips (More info?)

    On Sun, 25 Sep 2005 06:06:14 +0200, DEMAINE Benoit-Pierre
    <nntp_pipex@demaine.info> wrote:

    >>>BUT but BUT: I want the wireless interface NOT TO BE BRIGED to LAN ethernet,
    >>
    >>
    >> Not possible. 802.11 wireless is bridging by definition. No routing,
    >> IP addresses, or services (such as IPSec) involved. There's no other
    >> way to connect between wireless and wired devices other than bridging.
    >
    >are you sure ?

    Yes, I'm sure it's bridging.

    > then, what is my hand setted up gateway doing ???

    That's the router section. Think of a "wireless router" as a
    "wireless access point" glued to an "ethernet router". If done in
    seperate boxes, the ethernet output from the access point would go to
    one of the LAN inputs of the "ethernet router". When you set the IP
    addresses and all that, you're setting the router section. The only
    exception is that a stand along access point requires an IP address to
    do configurations and system settings. That IP address is only use
    for configuration and has nothing to do with the traffic.

    >
    >- 3 NICs
    >- 1 Wireless adapter ...
    >
    >4 IPs
    >and clients on any network can not even ping any other IP than the NIC of my gateway
    >it is connected to ... not even the IP of wireless card if he is on wired NIC ...

    Wanna bet? If you ignore the router part of the puzzle and just play
    with an access point, the IP address of the access point can be
    literally anything. In fact, that's exactly what I do on wireless
    systems that I don't want the users to tinker with the access points.
    I set the management IP address of the access point to something
    that's out of the usual 192.168.1.0/24 block.

    >what happens is that for simplicity, and dummy compliance, all manifacturers do
    >brige wireless to wired ... BUT on all firewalling tutos, you will find that this
    >kind of briging DO require to be activated ... aka is NOT available before you
    >explicitely ask for it.

    Sorry. I don't understand what you're asking or saying.

    >I already DID set up routing, and/or briging on x86 boxes ...
    >
    >my actual question is: do any hardware router do that including IPSEC ?
    >
    >> Now, you could isolate the wired and wireless part with a router, VPN,
    >> or filters, but that requires layer 3 services in addition to
    >> bridging.
    >
    >that would mean set up a dedicated gateway between wired and wireless, which would
    >decrypt IPSEC connections; that is precisely what I am too lame to do myself.
    >
    >> Overkill. You have WPA encryption for the wireless. On top of that,
    >> you want to add VPN encryption. You don't really need both. WPA is
    >> enough.
    >
    >WPA is hardware encryption: next year it will be broken = next year I can buy a new
    >router, and ask all my clients to buy new cards ...

    That's why I suggested you seperate the router function (with VPN) and
    the wireless function. When the next great exploits or new acronyms
    come out, you don't have to toss everything and start over.

    >All we know about WPA is that it was secure yesterday ... and that when some one
    >breaks it, you learn about it on forums only 6 months after all teenagers already
    >craked company networks ...

    Yawn. You're welcome to your own level of paranoia. However, if you
    run on that assumption, there isn't an operating system, application,
    or protocol that won't shortly be cracked by teenagers or university
    grad students.

    >In france, such security breaches can lead people to jail, even put in jail the one
    >who have been attacked.
    >
    >> The bigger they are, the harder they crash. How about this
    >> alternative? Use an access point, not a wireless router for the
    >> wireless part of the puzzle. Use WPA encryption. Use a seperate
    >> IPSec VPN router to terminate the tunnel. Netgear seems to have a
    >> good selection:
    >
    >- depends on (weak) WPA
    >- depends on an additional box
    >
    >=> twice more storage device + spinning disk + 2 systems + 2 supplies = 4 times more
    >reasons to crash.
    >
    >and my problem is that IWANT TO AVOID SETTING UP MANUALLY THE IPSEC SERVER.

    Good luck. IPsec is no fun to setup. Lots of settings. Lots of
    potential incompatibilities between servers and clients. Lots of
    things to go wrong. To the best of my knowledge, nobody has a
    non-manual IPSec VPN setup.

    >> There's no other
    >> way to connect between wireless and wired devices other than bridging.
    >
    >looks like you missed a point: I never said I want my networks to be in the same IP
    >ranges ... would any admin want to keep in the same range all computers of the
    >building ? who would be mad enough to try to keep transparent briging between all
    >computers ? who would try to interconnect more than 1000 computers on the same segment ?

    I think you missed my point. 802.11 wireless is bridging. I still
    recall wireless access points that didn't have an IP address for
    configuration and had to be set via a serial port. There's no layer 3
    stuff involved in bridging. That doesn't mean you have to setup your
    entire network without any routers and using just bridging. However,
    that's exactly the way a typical hot spot or home network is setup.
    The users bridge (encapsulate 802.3 ethernet inside 802.11 wireless
    packets) between client radios and the access point. The IP stack is
    in the client, not the wireless client. At the access point, it goes
    to a router, which deals with the IP addresses, routing, and such.

    >Even at home, it is out of order to have wireless in the same IP range that wired LAN.

    Most systems I've seen use a common /24 IP block for everything. If
    there's a VPN server in the system, the VPN server delivers an IP
    address through the tunnel to the client, which is used instead of the
    DHCP assigned IP address. I think that's what you're talking about.

    >Honney pots will fill holes
    >
    >DHCP+DNS will make things transparent for users.

    Sigh. Good luck...


    --
    # Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
    # 831.336.2558 voice Skype: JeffLiebermann
    # http://www.LearnByDestroying.com AE6KS
    # http://802.11junk.com
    # jeffl@comix.santa-cruz.ca.us
    # jeffl@cruzio.com
  15. Archived from groups: comp.sys.ibm.pc.hardware.chips (More info?)

    On Sun, 25 Sep 2005 06:06:14 +0200, DEMAINE Benoit-Pierre
    <nntp_pipex@demaine.info> wrote:

    >my actual question is: do any hardware router do that including IPSEC ?

    Wireless router or ethernet router with VPN?

    Wireless:
    | http://www.netgear.com/products/details/FWAG114.php
    | http://www.sonicwall.com/products/tz170SP_wireless.html
    | http://www.linksys.com/servlet/Satellite?childpagename=US%2FLayout&packedargs=c%3DL_Product_C2%26cid%3D1118334818934&pagename=Linksys%2FCommon%2FVisitorWrapper


    There are plenty of ethernet routers with IPSec VPN terminations.
    Search Google or the major manufacturers for "VPN Router".


    --
    # Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
    # 831.336.2558 voice Skype: JeffLiebermann
    # http://www.LearnByDestroying.com AE6KS
    # http://802.11junk.com
    # jeffl@comix.santa-cruz.ca.us
    # jeffl@cruzio.com
  16. Archived from groups: comp.sys.ibm.pc.hardware.chips (More info?)

    > set up (server side), but really claimed by every one to be highly secure, and may
    > be the only known REALLY secure layer to encapsulate VPNs.

    Wait a week then visit www.newburynetworks.com and view their webcast on
    why VPN's (IPSec or otherwise) are in their opinion NOT the way to
    secure a WLAN.

    IPSec isn't the only solution and as has been stated, doesn't secure
    anything other than IP, is a layer 3 protocol, doesn't encrypt
    broadcasts and requires that the network be subnetted.

    David.
  17. Archived from groups: comp.sys.ibm.pc.hardware.chips (More info?)

    > I think you missed my point. 802.11 wireless is bridging. I still
    > recall wireless access points that didn't have an IP address for
    > configuration and had to be set via a serial port. There's no layer 3
    > stuff involved in bridging. That doesn't mean you have to setup your

    I can see where he's coming from, he wants an IPSec driver on the
    wireless side of his router above the MAC bridge part of the wireless.
  18. Archived from groups: comp.sys.ibm.pc.hardware.chips (More info?)

    > Who cares about what the OP is talking about?

    That's generally the point of a thread, to discuss the original
    question! :)

    > I been using it for a couple of years and that's after someone made me aware
    > of it so how can it be new to me? I have made posts about using IPsec as a

    Duane said "But until now, I was not aware of how powerful of a solution
    IPsec is
    and its ability to be used in a FW like manner"

    > O/S(s) are not aware that it's even there. And many users *bitch* about the
    > XP O/S FW not being able to stop outbound traffic .However, with the use of

    Yes and many users complain that Windows is unstable after they've
    loaded a whole truck load of poorly written 3rd party device drivers.

    > and on the post where you started going to left field.on NWLink and NetBIOS.

    Go back and read Duane, you mentioned IPSec protecting Netbios over
    NWLink. I can pick the post and requote it if you like?

    > *university/college/boy -- ass-wipe*. <g> and <EOR>

    Do you feel inferior Duane is that it?, how was it in "the hood"?

    David.
  19. Archived from groups: comp.sys.ibm.pc.hardware.chips (More info?)

    "David Taylor" <djtaylor@bigfoot.com> wrote in message
    news:MPG.1da0706313bab0c2989e5e@news.cable.ntlworld.com...
    >> Who cares about what the OP is talking about?
    >
    > That's generally the point of a thread, to discuss the original
    > question! :)
    >
    >> I been using it for a couple of years and that's after someone made me
    >> aware
    >> of it so how can it be new to me? I have made posts about using IPsec as
    >> a
    >
    > Duane said "But until now, I was not aware of how powerful of a solution
    > IPsec is
    > and its ability to be used in a FW like manner"

    So what? My use of IPsec was behind a NAT router and BlackIce to
    *supplement* them both as neither one of them had the ability to stop
    outbound traffic from a machine. Now, I am out on the road on a dial-up
    connection a direct connection to the Internet and can fully understand the
    power of IPsec as a packet filtering solution.


    >
    >> O/S(s) are not aware that it's even there. And many users *bitch* about
    >> the
    >> XP O/S FW not being able to stop outbound traffic .However, with the use
    >> of
    >
    > Yes and many users complain that Windows is unstable after they've
    > loaded a whole truck load of poorly written 3rd party device drivers.
    >
    >> and on the post where you started going to left field.on NWLink and
    >> NetBIOS.
    >
    > Go back and read Duane, you mentioned IPSec protecting Netbios over
    > NWLink. I can pick the post and requote it if you like?

    There you go with another one of your *bitch* moves. You said NetBIOS over
    TCP IP not me. What I should have said was the NetBIOS port that even BI
    protects. But just keep in mind you're the greatest guru of ALL TIMES not
    me.

    >
    >> *university/college/boy -- ass-wipe*. <g> and <EOR>
    >
    > Do you feel inferior Duane is that it?, how was it in "the hood"?

    And I have been to college too but I don't flaunt it like I have seen you
    do it the onetime I read a post that you made to some one you flaunted it. .
    What you can do for me is kiss my BLACK ass that's what you can do. You put
    your pants on one leg at a time and a POS like you will never be better than
    me. You are nothing but a somewhat educated POS.

    And you're a dime a dozen out here on the Internet.
  20. Archived from groups: comp.sys.ibm.pc.hardware.chips (More info?)

    "
    > That's generally the point of a thread, to discuss the original
    > question! :)
    >

    Wait just a damn minute here you lurking *clown*. You made some posts to me
    and I cannot do the same with you as you went out of your way to do it? GTF
    out of here with this. You POS it is not your show in this NG or the
    Internet. You may think that it is your show, your NG, and your Internet and
    apparently your world. But you can rest assured that it's not. :)
  21. Archived from groups: comp.sys.ibm.pc.hardware.chips (More info?)

    > And I have been to college too but I don't flaunt it like I have seen you
    > do it the onetime I read a post that you made to some one you flaunted it. .

    You're so funny Duane, ONE guy asked and I answered his question. You
    call that flaunting it to reply to his question "where did you learn
    stuff"? You have issues.

    > What you can do for me is kiss my BLACK ass that's what you can do. You put
    > your pants on one leg at a time and a POS like you will never be better than
    > me. You are nothing but a somewhat educated POS.

    Yep, you really do have a complex. Get therapy or grow up.
  22. Archived from groups: comp.sys.ibm.pc.hardware.chips (More info?)

    David Taylor wrote:
    >>Who cares about what the OP is talking about?
    >
    >
    > That's generally the point of a thread, to discuss the original
    > question! :)

    I agree that 'trolling' was not a good word; I ought to say:

    personnal argumentation with insults and useless challenging ... to fight about
    un-interesting personnal qualifications/abilities.

    --
    DEMAINE Benoit-Pierre (aka DoubleHP ) http://www.demaine.info/
    \_o< If computing were an exact science, IT engineers would not have work >o_/
  23. Archived from groups: comp.sys.ibm.pc.hardware.chips (More info?)

    > personnal argumentation with insults and useless challenging ... to fight about
    > un-interesting personnal qualifications/abilities.

    He started it! :p
  24. Archived from groups: comp.sys.ibm.pc.hardware.chips (More info?)

    >>are you sure ?
    >
    >
    > Yes, I'm sure it's bridging.
    >
    >
    >>then, what is my hand setted up gateway doing ???
    >
    >
    > That's the router section. Think of a "wireless router" as a
    > "wireless access point" glued to an "ethernet router". If done in
    > seperate boxes, the ethernet output from the access point would go to
    > one of the LAN inputs of the "ethernet router". When you set the IP
    > addresses and all that, you're setting the router section. The only
    > exception is that a stand along access point requires an IP address to
    > do configurations and system settings. That IP address is only use
    > for configuration and has nothing to do with the traffic.

    learn abit about the french product called 'freebox':
    it natively support wireless routing, and it is REALLY A ROUTER:
    software conf can activate (or not) routing to wireless; by default it is off and
    you can only access wired part.

    Pb about this device is that the manifacturer does not sell it. It is an afforded
    part to customer who pay for internet access ...

    I mean that in this device, the wireless card is not briged.

    >>4 IPs
    >>and clients on any network can not even ping any other IP than the NIC of my gateway
    >>it is connected to ... not even the IP of wireless card if he is on wired NIC ...
    >
    >
    > Wanna bet? If you ignore the router part of the puzzle and just play
    > with an access point, the IP address of the access point can be
    > literally anything. In fact, that's exactly what I do on wireless
    > systems that I don't want the users to tinker with the access points.
    > I set the management IP address of the access point to something
    > that's out of the usual 192.168.1.0/24 block.

    what is your point in this part ?

    >>what happens is that for simplicity, and dummy compliance, all manifacturers do
    >>brige wireless to wired ... BUT on all firewalling tutos, you will find that this
    >>kind of briging DO require to be activated ... aka is NOT available before you
    >>explicitely ask for it.
    >
    > Sorry. I don't understand what you're asking or saying.

    hmmm, did you ever try to activate WDS ?
    did you read routing table of a WRT54g ?

    if yes, read me again ...

    >>WPA is hardware encryption: next year it will be broken = next year I can buy a new
    >>router, and ask all my clients to buy new cards ...
    >
    > That's why I suggested you seperate the router function (with VPN) and
    > the wireless function. When the next great exploits or new acronyms
    > come out, you don't have to toss everything and start over.

    I can perfectly well do it on my old pentium 120 ...

    question is: can ahardware router do it for me ?

    > Good luck. IPsec is no fun to setup. Lots of settings. Lots of
    > potential incompatibilities between servers and clients. Lots of
    > things to go wrong. To the best of my knowledge, nobody has a
    > non-manual IPSec VPN setup.

    that why I ask hardware device

    (but still, I expect this kind of hardware to be upgradable ...
    when WPA is encoded (let say) into silicon, IPSEC ought to be encoded into FLASH device)

    > Most systems I've seen use a common /24 IP block for everything. If
    > there's a VPN server in the system, the VPN server delivers an IP
    > address through the tunnel to the client, which is used instead of the
    > DHCP assigned IP address. I think that's what you're talking about.

    some companies have over 10000 box in a single building: if you use only hub and
    switches, you need a star network, where the root switch may saturate with a 100gb
    .... because if two end branch clients want to exchange, they are likely to have to
    come back to root switch ... when a routed network can be designed as islands, then
    islands can be interconnected a smart way.

    I have been customer in a network you describe: it was deadly slow and unstable:
    breaking the root switch shotdown whole the network ... for example when you unplug
    the switch the leads to the DHCP server room ...

    --
    DEMAINE Benoit-Pierre (aka DoubleHP ) http://www.demaine.info/
    \_o< If computing were an exact science, IT engineers would not have work >o_/
  25. Archived from groups: comp.sys.ibm.pc.hardware.chips (More info?)

    On Sun, 25 Sep 2005 11:30:25 +0200, DEMAINE Benoit-Pierre
    <nntp_pipex@demaine.info> wrote:

    >learn abit about the french product called 'freebox':
    >it natively support wireless routing, and it is REALLY A ROUTER:
    >software conf can activate (or not) routing to wireless; by default it is off and
    >you can only access wired part.

    You still aren't getting my point. 802.11 wireless is bridging.
    Where you attach a router and what it does is not part of 802.11.
    There's not one word that even mentions routeing or IP addresses in
    the IEEE 802.11 specifications.
    http://standards.ieee.org/getieee802/802.11.html
    Download any of 802.11a/b/g specs and find me where it says "router".

    >I mean that in this device, the wireless card is not briged.

    All 802.11 wireless cards are bridged. You can attach a router at
    both ends and hide the bridging from the client, but the basic
    protocol is bridging.

    >> Wanna bet? If you ignore the router part of the puzzle and just play
    >> with an access point, the IP address of the access point can be
    >> literally anything. In fact, that's exactly what I do on wireless
    >> systems that I don't want the users to tinker with the access points.
    >> I set the management IP address of the access point to something
    >> that's out of the usual 192.168.1.0/24 block.
    >
    >what is your point in this part ?

    That with bridging, it's not important that the IP address of the
    wireless device be in the same subnet as the wireless LAN.

    >>>what happens is that for simplicity, and dummy compliance, all manifacturers do
    >>>brige wireless to wired ... BUT on all firewalling tutos, you will find that this
    >>>kind of briging DO require to be activated ... aka is NOT available before you
    >>>explicitely ask for it.
    >>
    >> Sorry. I don't understand what you're asking or saying.
    >
    >hmmm, did you ever try to activate WDS ?


    I don't understand your terms "dummy compliance", "tutos", and what
    needs to be "activated". What does WPA have to do with anything in
    bridging and routeing. WPA encryption is totally transparent to both.

    >did you read routing table of a WRT54g ?

    > ~ # netstat -r
    > Kernel IP routing table
    > Destination Gateway Genmask Flags MSS Window irtt Iface
    > 192.168.111.0 * 255.255.255.0 U 40 0 0 br0
    > 63.198.98.0 * 255.255.255.0 U 40 0 0 vlan1
    > 127.0.0.0 * 255.0.0.0 U 40 0 0 lo
    > default adsl-63-198-98- 0.0.0.0 UG 40 0 0 vlan1

    What should I read in there? That's the router part of the WRT54G.

    >if yes, read me again ...

    Done. I still don't understand what you're asking or suggesting.

    >question is: can ahardware router do it for me ?

    Do you want everything in one box? If so, I've listed 3 possible
    wireless VPN routers. If you can live with everything in seperate
    boxes, then it can be done with a much wider and cheaper variety of
    boxes.

    >> Good luck. IPsec is no fun to setup. Lots of settings. Lots of
    >> potential incompatibilities between servers and clients. Lots of
    >> things to go wrong. To the best of my knowledge, nobody has a
    >> non-manual IPSec VPN setup.
    >
    >that why I ask hardware device

    Hardware IPSec is about the same complexity as software (FreeSWAN)
    especially when dealing with poorly defined features such as replay
    protection. I've seen compatibility issues that were not fun to
    troubleshoot.

    >I have been customer in a network you describe: it was deadly slow and unstable:
    >breaking the root switch shotdown whole the network ... for example when you unplug
    >the switch the leads to the DHCP server room ...

    I'm not suggesting you build a complex network for your home wireless.
    I'm simply suggesting that you seperate the modem, VPN router, and
    wireless access point into three seperate boxes. I can list the
    benifits when you're ready to listen.


    --
    Jeff Liebermann jeffl@comix.santa-cruz.ca.us
    150 Felker St #D http://www.LearnByDestroying.com
    Santa Cruz CA 95060 http://802.11junk.com
    Skype: JeffLiebermann AE6KS 831-336-2558
  26. Archived from groups: comp.sys.ibm.pc.hardware.chips (More info?)

    The TZ 170 SP Wireless allows network administrators to create user accounts for
    occasional guest users such as consultants and contractors that permit wireless
    connections to the Internet without providing access to the corporate network.

    sounds nice ... I need to read again tonight ...

    --
    DEMAINE Benoit-Pierre (aka DoubleHP ) http://www.demaine.info/
    \_o< If computing were an exact science, IT engineers would not have work >o_/
  27. Archived from groups: comp.sys.ibm.pc.hardware.chips (More info?)

    David Taylor wrote:
    > It's not new Duane. All you're doing is blocking traffic by port. I'm
    > surprised that it's new to you.
    >
    > The main advantage of IPSec is the Sec part, i.e. security. Simply
    > creating filters and a filter action like you are doing is the very
    > simplest start. What the original poster wanted was security which to
    > do properly requires a PKI implementation. Then you get mutual
    > authentication and encryption, none of which you have right now.

    at a 94 IETF meeting in the gateway working group ... a friend
    introduced something that has since come to be called VPN. my view was
    that it somewhat upset the ipsec people ... since they were working on
    end-to-end. the issue with ipsec has been that it required updates to
    all the deployed (mostly kernel) tcp/ip protocol stacks. VPN could be
    deployed w/o impacting current installed systems. eventually things
    were somewhat patched over with the ipsec people labeling VPNs as
    light-weight ipsec ... and lots of other people referring to ipsec as
    heavy-weight ipsec. there was at least one vendor who announced a
    purely vaporware vpn product that dec. ... in response to the uptake of
    the concept after the ietf meeting.

    to a large degree, the apperance of SSL was because of the same factor
    .... the difficulty with doing end-to-end ipsec because of its
    impacting, existing deployed systems.

    towards the end of 94, my wife and i got called in to cpmsult with the
    small client/server company that had come up with ssl ... who wanted to
    do payments on their server
    http://www.garlic.com/~lynn/aadsm5.htm#asrn2
    http://www.garlic.com/~lynn/aadsm5.htm#asrn3

    at the time, they had this stuff that was going to use something called
    digital certificates issued by these organizations called certification
    authorities (as part of something called PKI). as part of doing
    payments ... we had to go around and do some end-to-end business audits
    on these organizations calling themselves certification authorities ...
    some collected postings on the subject off SSL certificates
    http://www.garlic.com/~lynn/subpubkey.html#sslcert

    SSL implementation at the time was one-way authentication between the
    server and the browser. using SSL for the webserver to payment gateway
    traffic ... we required an SSL implementation that supported mutual
    authentication.

    however, as part of that effort, we coined the term "certificate
    manufactoring" ... since the majority of the operations weren't
    actually doing full-fledge PKIs ... no actual management and
    administration of the certified information (contained in the digital
    certificates) ... just the straight-forward manufactoring of the
    certificates. In fact, numerous certificate-based infrastructures from
    the period would rely on existing business operations for
    administration of the current validaty of the certified information (as
    opposed to actually deploying a full-fledge PKI). The issue then was
    that for such operations ... it was quite a trivial proof to show that
    the digital certificates were redundant and superfluous (if you were
    relying on existing business operations for real-time validity ... then
    it was a very short step to having existing business operations also
    providing public keys in real time).

    there is now even cross-over between the original 94 vpn and the 94 ssl
    .... with the apparance of ssl-based VPNs.

    the basic technology is asymmetric key cryptography; what one key (of a
    key-pair) encodes, the other key decodes (to differentiate from
    symmetric key which uses the same key for both encoding and decoding).

    there are business process applications of asymmetric key cryptography
    called "public key" (where one key is identified as public and made
    available, and the other key is identified as private and kept
    confidential and never divulated) and "digital signature" (which
    involves encoding a hash of a message/document with a private key).

    However, there are numerous examples of infrastructures that use public
    keys, digital signatures, encrypted channels that don't involve PKI,
    certification authorities, and/or digital signatures.

    one of the most prevalent authentication infrastructures is RADIUS ...
    starting out having been a userid/password implementation. There have
    been extensions to RADIUS where public keys are registered in lieu of
    passwords and digital signatures used for authentication ... totally
    certificateless operation
    http://www.garlic.com/~lynn/subpubkey.html#radius

    another wide-spread authentication environment is KERBEROS, found as
    integral part of a large number of platforms. the original pk-init
    specification had public keys being registered in lieu of passwords and
    supporting digital signature authentication ... again a certificateless
    operation
    http://www.garlic.com/~lynn/subpubkey.html#kerberos

    pk-init specification was later upgraded to also include PKI and
    certificate-based operation ... supporting the ability for total
    strangers to log on to your system ... recent lengthy description
    http://www.garlic.com/~lynn/2005q.html#23 Logon with Digital Signature

    another public key, non-PKI authentication and confidential
    infrastructure with relatively wide deployment is SSH
    http://www.openssh.com
    http://www.ssh.com

    in any case, IPSEC PKI infrastructure can carry with it a much heavier
    infrastructure operation than is actually needed for public key
    authentication and encryption (and even can be redundant and
    superfluous compared to simple upgrades to existing management and
    administrative operation).
    http://www.garlic.com/~lynn/subpubkey.html#certless
  28. Archived from groups: comp.sys.ibm.pc.hardware.chips (More info?)

    > The TZ 170 SP Wireless allows network administrators to create user accounts for
    > occasional guest users such as consultants and contractors that permit wireless
    > connections to the Internet without providing access to the corporate network.
    >
    > sounds nice ... I need to read again tonight ...

    But you can do that with any AP that provides multiple SSID's (or a
    couple of AP's) that map to seperate VLAN's, one for employees and one
    VLAN going straight out to the internet.

    David.
  29. Archived from groups: comp.sys.ibm.pc.hardware.chips (More info?)

    Can you stop posting to me like a *bitch*. That's all you amount to me is
    that and nothing else. And that's what you would be viewed as in the *hood*
    or on the *streets* a man acting like a *bitch*.
  30. Archived from groups: comp.sys.ibm.pc.hardware.chips (More info?)

    > Can you stop posting to me like a *bitch*.

    I just want to make a correction here. I don't want you *bitching* about it.
    <g>

    Can you stop posting to me like a *bitch*?
  31. Archived from groups: comp.sys.ibm.pc.hardware.chips (More info?)

    On 25 Sep 2005 12:33:53 -0700, lynn@garlic.com wrote:

    I'll risk a bit of topic drift here...

    >to a large degree, the apperance of SSL was because of the same factor
    >... the difficulty with doing end-to-end ipsec because of its
    >impacting, existing deployed systems.

    Difficulty is an understatement. The AH encapsulation would
    effectively prevent re-writing the header on NAT firewalls making that
    useless. At least ESP payload only works though NAT. Replay attack
    prevention seems to cause some compatibility issues with different
    implementations. I lost count of how many different encryption and
    authentication protocols were available. Compatibility still seems to
    be a problem:
    http://nscsysop.hypermart.net/vpnnat.html
    I've also lost count of how many bug reports I've submitted to
    manufacturers over VPN compatibility issues. My guess(tm) is that SSL
    is becoming popular because it offers considerable simplicity and
    compatibility.

    >however, as part of that effort, we coined the term "certificate
    >manufactoring" ... since the majority of the operations weren't
    >actually doing full-fledge PKIs

    Well, part of the incentive was the Verisign was charging ridiculous
    amounts for a server certificate. That might be justifiable with a
    big ecommerce site, but not with a small hosted web site that just
    wants something better than a password. If Verisign had recognized
    the market and priced their PKI services accordingly, there would not
    have been any need for the "certificate manufactorys".
    | http://www.cacert.org
    | http://www.instantssl.com
    | http://www.thawte.com


    >it was quite a trivial proof to show that
    >the digital certificates were redundant and superfluous (if you were
    >relying on existing business operations for real-time validity ... then
    >it was a very short step to having existing business operations also
    >providing public keys in real time).

    Well, when the browser now says "Just click here to accept this
    certificate as valid" without the slightest authentication, one might
    as well pretend that everything is valid. As I recall that was in
    response to MS expiring all their certificates issued with Windoze
    runtimes in 2000(?) combined with the social engineering of some MS
    certificates from Verisign, where MS discovered they had no way to
    revoke a certificate.

    >there is now even cross-over between the original 94 vpn and the 94 ssl
    >... with the apparance of ssl-based VPNs.

    Yes, for good reason. The browsers all have SSL capability and an SSL
    based VPN can therefore be deployed with a minimum of butchery on the
    client side.
    | http://www.whalecommunications.com/site/Whale/Corporate/Whale.asp?pi=291
    | http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns125/networking_solutions_white_paper09186a00801d3583.shtml

    >However, there are numerous examples of infrastructures that use public
    >keys, digital signatures, encrypted channels that don't involve PKI,
    >certification authorities, and/or digital signatures.

    Ummm.... Pre shared keys? (Never mind).

    >in any case, IPSEC PKI infrastructure can carry with it a much heavier
    >infrastructure operation than is actually needed for public key
    >authentication and encryption (and even can be redundant and
    >superfluous compared to simple upgrades to existing management and
    >administrative operation).

    We're talking about a home user with probably a handful of potential
    users. The alleged benefit of PKI is that it authenticates the
    terminating web pages as being whom they claim to be. I've setup
    bogus servers to see how typical clients react. I've found that some
    method of authentication is a required as almost all users are
    clueless when a counterfeit web page appears. I even got caught in my
    own trap when I forgot to turn it off one day. Same with a faked SSID
    hot spot running HostAP. One doesn't really "need" PKI and a CA to do
    the authentication, but methinks it is generally a good idea.


    --
    Jeff Liebermann jeffl@comix.santa-cruz.ca.us
    150 Felker St #D http://www.LearnByDestroying.com
    Santa Cruz CA 95060 http://802.11junk.com
    Skype: JeffLiebermann AE6KS 831-336-2558
  32. Archived from groups: comp.sys.ibm.pc.hardware.chips (More info?)

    Jeff Liebermann wrote:
    > On 25 Sep 2005 12:33:53 -0700, lynn@garlic.com wrote:
    >
    > I'll risk a bit of topic drift here...

    u cant be more offtopic that those 2 insulting guys ...

    > We're talking about a home user with probably a handful of potential
    > users. The alleged benefit of PKI is that it authenticates the
    > terminating web pages as being whom they claim to be.

    if you consider really secure systems, those where the user is really user, and not
    root or admin ...

    how could a simple user land browser install a certificate the kernel could use to
    establish a new network layer ?

    that would require right separation that are planed in GNU/Hurd, and not that stable
    in UML, or fuse ...

    => point is: there is no use to tell about SSL support of browser:
    root ought to
    wget gateway/certificate
    then restart a daemon ...

    > I've setup
    > bogus servers to see how typical clients react. I've found that some
    > method of authentication is a required as almost all users are
    > clueless when a counterfeit web page appears. I even got caught in my
    > own trap when I forgot to turn it off one day. Same with a faked SSID
    > hot spot running HostAP. One doesn't really "need" PKI and a CA to do
    > the authentication, but methinks it is generally a good idea.

    one point for you (regarding most admins thinking ...)

    about me:
    I am the only admin on all box I install, especially on my familly's computers ...

    and that is not enough yet to prevent them doing stupid things ...

    the worse things are now impossible to them:
    - I hey, I found that free demo CD in supermarket, but it says I have no right to
    install it
    - I made you not to have this right because I knew you would try to install it !

    what happened for real:
    - I was given this CD that offers cheap internet access
    - you already have cheap internet access for the same price as the one on your new
    CD, exept that you attemp to install your stuipd CD broke IE down

    by that time, my dad was admin on the box, and the CD broke out all GUI of IE,
    including home page, connection params, bookmarks and so on ... after what my
    brother (7y more experience in IT than me) founded about 18 troyans on their (live)
    box ... I founded 8 more ones using offline scan ...

    (hell, a brother who claims to be IT professionnal, and does AV scan on a live box
    .... I cant believe it)

    --
    DEMAINE Benoit-Pierre (aka DoubleHP ) http://www.demaine.info/
    \_o< If computing were an exact science, IT engineers would not have work >o_/
  33. Archived from groups: comp.sys.ibm.pc.hardware.chips (More info?)

    >>did you read routing table of a WRT54g ?
    >
    >
    >>~ # netstat -r
    >>Kernel IP routing table
    >>Destination Gateway Genmask Flags MSS Window irtt Iface
    >>192.168.111.0 * 255.255.255.0 U 40 0 0 br0
    >>63.198.98.0 * 255.255.255.0 U 40 0 0 vlan1
    >>127.0.0.0 * 255.0.0.0 U 40 0 0 lo
    >>default adsl-63-198-98- 0.0.0.0 UG 40 0 0 vlan1
    >
    >
    > What should I read in there? That's the router part of the WRT54G.
    >
    >
    >>if yes, read me again ...
    >
    >
    > Done. I still don't understand what you're asking or suggesting.

    YOUR STUPIDITY HIDES YOU THAT BR0 HAD TO BE SET UP MANUALLY !!!

    I never had access to any WRT in my life (just touch the plastic box in a shop), BUT
    YOU SHOW ME TOURSELF THAT I AM RIGHT IN MY ASSUPMTIONS !!!

    go and try set up a WDS gateway, and you will learn from life that there is no such
    thing like what you think life is.

    some clue to help your mind:
    what is br0 ? how to set it up ?
    have you ever seen a hardware NIC that the driver makes available as br0 ?
    if it's really a linux running around, why arnt there eth0 and eth1 in the routing
    tables ???

    have you ever seen on the market a hardware NIC that does at the same time wired and
    non-wired ?
    I never did => where are eth0 and wlan0 ???

    ===>>> stop writing clueless, and stop insulting and arguing with David, Duane, or
    who ever they are.

    --
    DEMAINE Benoit-Pierre (aka DoubleHP ) http://www.demaine.info/
    \_o< If computing were an exact science, IT engineers would not have work >o_/
  34. Archived from groups: comp.sys.ibm.pc.hardware.chips (More info?)

    On Mon, 26 Sep 2005 22:54:37 +0200, DEMAINE Benoit-Pierre
    <nntp_pipex@demaine.info> wrote:

    >YOUR STUPIDITY HIDES YOU THAT BR0 HAD TO BE SET UP MANUALLY !!!

    The setup is stock Sveasoft Alchemy.
    ~ # cat /etc/motd
    ------------------------------------------
    Welcome to the Sveasoft WRT54G/GS Firmware
    Alchemy-V1.0 build
    version v3.37.6.8sv
    USE OF THIS FIRMWARE IS AT YOUR OWN RISK
    http://www.sveasoft.com

    >I never had access to any WRT in my life (just touch the plastic box in a shop), BUT
    >YOU SHOW ME TOURSELF THAT I AM RIGHT IN MY ASSUPMTIONS !!!
    >
    >go and try set up a WDS gateway, and you will learn from life that there is no such
    >thing like what you think life is.

    WDS is fairly simple to setup.
    http://www.linksysinfo.org/modules.php?name=Content&pa=showpage&pid=7

    >some clue to help your mind:
    >what is br0 ? how to set it up ?
    >have you ever seen a hardware NIC that the driver makes available as br0 ?
    >if it's really a linux running around, why arnt there eth0 and eth1 in the routing
    >tables ???

    It's Linux:
    ~ # uname -a
    Linux router 2.4.20 #2 Thu Apr 21 19:40:17 CEST 2005 mips unknown

    br0 is the bridge port and can be linked to any of the other bridged
    ethernet ports on the switch. I'll guess (not sure) that the routeing
    table uses br0 instead of eth0 because br0 is the filtered port name
    while eth0 is the unfiltered port name.

    Incidentally eth0 and eth1 are there.

    ~ # ifconfig
    br0 Link encap:Ethernet HWaddr 00:0C:41:9C:3D:10
    inet addr:192.168.111.33 Bcast:192.168.111.255
    Mask:255.255.255.0
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:87104 errors:0 dropped:0 overruns:0 frame:0
    TX packets:111983 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:10605896 (10.1 MiB) TX bytes:47923183 (45.7 MiB)

    eth0 Link encap:Ethernet HWaddr 00:0C:41:9C:3D:10
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:268597 errors:0 dropped:0 overruns:0 frame:0
    TX packets:274490 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:100
    RX bytes:70588908 (67.3 MiB) TX bytes:64626923 (61.6 MiB)
    Interrupt:3 Base address:0x2000

    eth1 Link encap:Ethernet HWaddr 00:0C:41:9C:3D:11
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:0 errors:0 dropped:0 overruns:0 frame:0
    TX packets:66 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:100
    RX bytes:0 (0.0 B) TX bytes:6331 (6.1 KiB)
    Interrupt:4 Base address:0x8000

    lo Link encap:Local Loopback
    inet addr:127.0.0.1 Mask:255.0.0.0
    UP LOOPBACK RUNNING MULTICAST MTU:16436 Metric:1
    RX packets:1170 errors:0 dropped:0 overruns:0 frame:0
    TX packets:1170 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:96923 (94.6 KiB) TX bytes:96923 (94.6 KiB)

    vlan0 Link encap:Ethernet HWaddr 00:0C:41:9C:3D:10
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:87085 errors:0 dropped:0 overruns:0 frame:0
    TX packets:188737 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:11164196 (10.6 MiB) TX bytes:53280155 (50.8 MiB)

    vlan1 Link encap:Ethernet HWaddr 00:0C:41:9C:3D:11
    inet addr:63.198.98.51 Bcast:63.198.98.255
    Mask:255.255.255.0
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:181414 errors:0 dropped:0 overruns:0 frame:0
    TX packets:85673 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:54582227 (52.0 MiB) TX bytes:11338413 (10.8 MiB)


    >have you ever seen on the market a hardware NIC that does at the same time wired and
    >non-wired ?
    >I never did => where are eth0 and wlan0 ???

    wlan0 is wl0

    ~ # cat /proc/net/wl0
    wl0: Aug 2 2004 14:32:51 version 3.60.13.0
    resets 23681
    perm_etheraddr 00:0c:41:9c:3d:12 cur_etheraddr 00:0c:41:9c:3d:12
    board 0x1603, board rev 4.5
    wsec 1 auth 0 wsec_index 0 wep_algo 1
    rate_override 0
    antdiv_override 3 txant 3
    current_bss.BSSID 00:0c:41:9c:3d:12
    current_bss.SSID "LearnByDestroying"
    associated 1


    >===>>> stop writing clueless, and stop insulting and arguing with David, Duane, or
    >who ever they are.

    Clueless? Run a Google Groups search for posting with my name. Read
    a few. Then come back and call me clueless.


    --
    # Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
    # 831.336.2558 voice Skype: JeffLiebermann
    # http://www.LearnByDestroying.com AE6KS
    # http://802.11junk.com
    # jeffl@comix.santa-cruz.ca.us
    # jeffl@cruzio.com
  35. Archived from groups: comp.sys.ibm.pc.hardware.chips (More info?)

    David Taylor wrote:
    >>The TZ 170 SP Wireless allows network administrators to create user accounts for
    >>occasional guest users such as consultants and contractors that permit wireless
    >>connections to the Internet without providing access to the corporate network.
    >>
    >>sounds nice ... I need to read again tonight ...
    >
    >
    > But you can do that with any AP that provides multiple SSID's (or a
    > couple of AP's) that map to seperate VLAN's, one for employees and one
    > VLAN going straight out to the internet.
    >
    > David.

    I am not tu buy 100 APs for my parents house ... nor spend 1y writing IPSEC conf,
    nor buy some 3000e hardware touter ...

    if nothings cheap (200 USD), or fast to implement (4 human days), I just give up.

    --
    DEMAINE Benoit-Pierre (aka DoubleHP ) http://www.demaine.info/
    \_o< If computing were an exact science, IT engineers would not have work >o_/
  36. Archived from groups: comp.sys.ibm.pc.hardware.chips (More info?)

    > I am not tu buy 100 APs for my parents house ... nor spend 1y writing IPSEC conf,
    > nor buy some 3000e hardware touter ...

    Where did you get 100 from? I said ONE AP that supports multiple SSID's
    otherwise use 2 AP's, one for each SSID and use VLAN's to seperate the
    networks.
  37. Archived from groups: comp.sys.ibm.pc.hardware.chips (More info?)

    >>some clue to help your mind:
    >>what is br0 ? how to set it up ?
    >>have you ever seen a hardware NIC that the driver makes available as br0 ?
    >>if it's really a linux running around, why arnt there eth0 and eth1 in the routing
    >>tables ???
    >
    >
    > It's Linux:
    > ~ # uname -a
    > Linux router 2.4.20 #2 Thu Apr 21 19:40:17 CEST 2005 mips unknown
    >
    > br0 is the bridge port and can be linked to any of the other bridged
    > ethernet ports on the switch. I'll guess (not sure) that the routeing
    > table uses br0 instead of eth0 because br0 is the filtered port name
    > while eth0 is the unfiltered port name.

    thats wrong, and your next past confirms it ...

    br0 is NOT a brige port

    and you can NOT choose the port of the switch you link to.

    you OBVIOuSLY dont know how this device is soldered.

    And finally, your guess IS WRONG.

    br0 IS NOT an alias nor a filter.

    I told you to read about wds because tutos tell about this difference. Maybe you
    readed words, but your brain did not understood them.

    > Incidentally eth0 and eth1 are there.
    >
    > ~ # ifconfig
    > br0 Link encap:Ethernet HWaddr 00:0C:41:9C:3D:10
    > inet addr:192.168.111.33 Bcast:192.168.111.255
    > Mask:255.255.255.0
    > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    > RX packets:87104 errors:0 dropped:0 overruns:0 frame:0
    > TX packets:111983 errors:0 dropped:0 overruns:0 carrier:0
    > collisions:0 txqueuelen:0
    > RX bytes:10605896 (10.1 MiB) TX bytes:47923183 (45.7 MiB)
    >
    > eth0 Link encap:Ethernet HWaddr 00:0C:41:9C:3D:10
    > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    > RX packets:268597 errors:0 dropped:0 overruns:0 frame:0
    > TX packets:274490 errors:0 dropped:0 overruns:0 carrier:0
    > collisions:0 txqueuelen:100
    > RX bytes:70588908 (67.3 MiB) TX bytes:64626923 (61.6 MiB)
    > Interrupt:3 Base address:0x2000
    >
    > eth1 Link encap:Ethernet HWaddr 00:0C:41:9C:3D:11
    > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    > RX packets:0 errors:0 dropped:0 overruns:0 frame:0
    > TX packets:66 errors:0 dropped:0 overruns:0 carrier:0
    > collisions:0 txqueuelen:100
    > RX bytes:0 (0.0 B) TX bytes:6331 (6.1 KiB)
    > Interrupt:4 Base address:0x8000
    >
    > lo Link encap:Local Loopback
    > inet addr:127.0.0.1 Mask:255.0.0.0
    > UP LOOPBACK RUNNING MULTICAST MTU:16436 Metric:1
    > RX packets:1170 errors:0 dropped:0 overruns:0 frame:0
    > TX packets:1170 errors:0 dropped:0 overruns:0 carrier:0
    > collisions:0 txqueuelen:0
    > RX bytes:96923 (94.6 KiB) TX bytes:96923 (94.6 KiB)
    >
    > vlan0 Link encap:Ethernet HWaddr 00:0C:41:9C:3D:10
    > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    > RX packets:87085 errors:0 dropped:0 overruns:0 frame:0
    > TX packets:188737 errors:0 dropped:0 overruns:0 carrier:0
    > collisions:0 txqueuelen:0
    > RX bytes:11164196 (10.6 MiB) TX bytes:53280155 (50.8 MiB)
    >
    > vlan1 Link encap:Ethernet HWaddr 00:0C:41:9C:3D:11
    > inet addr:63.198.98.51 Bcast:63.198.98.255
    > Mask:255.255.255.0
    > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    > RX packets:181414 errors:0 dropped:0 overruns:0 frame:0
    > TX packets:85673 errors:0 dropped:0 overruns:0 carrier:0
    > collisions:0 txqueuelen:0
    > RX bytes:54582227 (52.0 MiB) TX bytes:11338413 (10.8 MiB)

    without br0, eth0 and wlan0 are just ... independant !

    there is NO hardware brige, and there is no default hard link.

    briging eth to wlan IS SOFTWARE !!!

    wlan0 is NOT an ethernet NIC with an antena, but a NIC dedicated to wireless.

    > Clueless? Run a Google Groups search for posting with my name. Read
    > a few. Then come back and call me clueless.

    the fact you wrote 1000000messages in groups does not mean you know what you write
    about.

    > All 802.11 wireless cards are bridged. You can attach a router at
    > both ends and hide the bridging from the client, but the basic
    > protocol is bridging.

    NO wireless card is briged. NONE.

    Briging IS NOT A PROTOCOL, but asoftware setup.

    > 802.11 wireless is bridging by definition.

    did you ever set up MANUALLY a wireless card ?
    what is wlan0 ?
    how is br0 set up un the WRT ?

    there is no such protocol as briging !
    and 802.11 is only supported by dedicated cards.

    > There's no other
    > way to connect between wireless and wired devices other than bridging.

    there IS, and I do it every morning:
    iptables.

    *********

    the more I read your old posts, the more I see you speak cluelessly.

    --
    DEMAINE Benoit-Pierre (aka DoubleHP ) http://www.demaine.info/
    \_o< If computing were an exact science, IT engineers would not have work >o_/
Ask a new question

Read More

CPUs Wireless Router