[Leaplist] blue ipcop--remind me...

Bryan J Smith b.j.smith at ieee.org
Wed Dec 10 11:33:45 EST 2008 

On Wed, 2008-12-10 at 07:46 -0600, tom foster wrote:
> And draw me a picture too.
> how do I hook up an access point to the blue interface?  I don't know
> which wireless router I'm going to get yet, but I'd like to know how to
> turn off dhcp on the router and let ipcop hand out addresses.  I have
> no idea.  what do you do, give the router an address?

First off, have you considered buying a Wireless Access Point (AP)
instead of a Wireless 'Ritter*1*?  The APs typically have a much beefer
microcontroller than the 'Ritters.

E.g., I have an AP that can easily handle the seven (7) wireless nodes
in my house (my personal and work notebook, my wife's two notebooks, my
and my wife's PSPs and our Wii), at full AES*2*.  I've seen a lot of
'Ritters choke on more than 2-3 nodes.

Secondly, assigning an IP address is no different than anything else.
You go into the unit and assign either DHCP or a Static address to the
LAN port, with the Gateway as your Blue interface.  In the case of the
AP, it's the only port.  In the case of the 'Ritter, just use the LAN
port and it'll bridge.

Third, Blue nodes can_not_ access Green nodes.  You will need a VPN for
the Blue to access the Green.  You can use the built-in IPSec
(OpenS/WAN) in IPCop, or you can add the OpenVPN plug-in (name of
project escapes me), which I've been using for years.  You do have to
check/test OpenVPN's setup with each IPCop update, but they typically
don't affect it anymore.

Here's your ASCII art ...


     IPCop
    /  |  \
Green Red Blue
 |||   |    \
Nodes iNet  AP or 'Ritter "LAN"
                  
-- Bryan

P.S.  I recommend MAC filtration at both the IPCop Blue interface and
the AP/'Ritter interface.  It's a double-step and not foolproof in the
least bit, but it never hurts to deny the random scanner's immediate
ability to associate (AP/'Ritter) or even route through to the Internet
(Blue).

*1* "'Ritters: Because most NAT/PAT devices are not NOT Routers!"  
http://thebs413.blogspot.com/2005/07/ritters-because-most-natpat-devices.html  

*2* Wi-Fi Protected Access (WPA) 256-bit Advanced Encryption Standard
(AES) uses more than an order of magnitude more horsepower than 64-bit
RC4, which is used by Temporal Key Integrity Protocol (TKIP), also part
of the WPA standard.  TKIP's RC4 is the same cipher as Wired Equivalent
Privacy (WEP), designed for the day when microcontrollers were tens of
MHz.  TKIP is still commonly enabled by default, along with AES, on WLAN
WPA infrastructure devices for compatibility with older devices that
only do RC4, not AES.  From day 1 with WPA, I _never_ allowed any TKIP
on my network, disabling it (or not buying an infrastructure devices
that would not let me only enable AES).  My attitude was proven correct
with the recent compromises of TKIP.


-- 
Bryan J  Smith                Professional, Technical Annoyance
Mugshot Homepage:  http://mugshot.org/person?who=58wDcGKx6NcZAb
---------------------------------------------------------------
           Fission Power:  An Inconvenient Solution            


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the Leaplist mailing list