Belt and suspenders: Routing the WRT through an existing firewall

Now that we resolved the problem of my miscommunication with the WRT54GL,
I'm ready to move on (after installing dd-wrt!) and put this sucker to
use.

In all the OEM docs, wikis, Usenet threads, and cave drawings I have seen
on the subject they all tell me to plug my ISP's ethernet cable into the
wireless router and plug any wired ethernet PCs into the ethernet ports.

What if I don't want to do that? I have a nice software firewall tweaked
within an inch of its life using iptables on my Linux server, so I'd like
to assign the wireless router a static IP address and plug it into my
existing network switch controlled by the Linux box, like this:

[MY ISP]
|
[LINUX ETH1]
|
(iptables firewall)
|
[LINUX ETH0]
|
(wired network switch)
| | | |
Linksys PC PC PC
. . .
My laptops

My thinking is, that will ensure that not only will iptables do all the
firewall stuff before any nasties start floating through the air, but it
will also ensure that only computers on my LAN subnet will even be able
to talk to the Linksys.

Does that make sense, or is it an unnecessary extra layer of complication
borne of my complete ignorance of wireless networking? I trust your
judgement, Reb Liebermann... if you say dd-wrt's firewall is sufficient,
I'll go with the standard configuration and stop obsessing over iptables.

--
Peter B. Steiger
Cheyenne, WY
If you must reply by email, you can reach me by placing zeroes
where you see stars: wypbs_**2 at steigerfamily.com.

--
Posted via a free Usenet account from http://www.teranews.com

On Jun 7, 2:43 pm, "Peter B. Steiger" <see....@for.email.address>
wrote:
> Now that we resolved the problem of my miscommunication with the WRT54GL,
> I'm ready to move on (after installing dd-wrt!) and put this sucker to
> use.
>
> In all the OEM docs, wikis, Usenet threads, and cave drawings I have seen
> on the subject they all tell me to plug my ISP's ethernet cable into the
> wireless router and plug any wired ethernet PCs into the ethernet ports.
>
> What if I don't want to do that? I have a nice software firewall tweaked
> within an inch of its life using iptables on my Linux server, so I'd like
> to assign the wireless router a static IP address and plug it into my
> existing network switch controlled by the Linux box, like this:
>
> [MY ISP]
> |
> [LINUX ETH1]
> |
> (iptables firewall)
> |
> [LINUX ETH0]
> |
> (wired network switch)
> | | | |
> Linksys PC PC PC
> . . .
> My laptops
>
> My thinking is, that will ensure that not only will iptables do all the
> firewall stuff before any nasties start floating through the air, but it
> will also ensure that only computers on my LAN subnet will even be able
> to talk to the Linksys.
>
> Does that make sense, or is it an unnecessary extra layer of complication
> borne of my complete ignorance of wireless networking? I trust your
> judgement, Reb Liebermann... if you say dd-wrt's firewall is sufficient,
> I'll go with the standard configuration and stop obsessing over iptables.
>
> --
> Peter B. Steiger
> Cheyenne, WY
> If you must reply by email, you can reach me by placing zeroes
> where you see stars: wypbs_**2 at steigerfamily.com.
>
> --
> Posted via a free Usenet account fromhttp://www.teranews.com

Mostlikely, a competent NAT firewall will do it for you; I know it
does
for me, as tested periodically with the help of www.pcflank.com.

Then you can devote resources to deal with stuff that comes in
as attachments, etc., rather than obsess over direct IP-borne
attacks. :')

J

On Thu, 07 Jun 2007 18:43:46 +0000, Peter B. Steiger sez:
> Now that we resolved the problem of my miscommunication with the
> WRT54GL, I'm ready to move on (after installing dd-wrt!) and put this
> sucker to use.

I'll save Jeff the trouble of reposting some excellent advice he gave me
a couple of months ago when I was first shopping for a wireless router.
For the benefit of anyone else who stumbles across this thread and has
similar questions to mine, this response to my "where do I start?" post
is chock-full o' sage advice, random musings, and links to more sage
advice:
http://groups.google.com/group/alt.i...9a0a94cf3f0c05

Since that's an impossibly long URL, here's a shorter one:
http://tinyurl.com/ywfc6g

--
Peter B. Steiger
Cheyenne, WY
If you must reply by email, you can reach me by placing zeroes
where you see stars: wypbs_**2 at steigerfamily.com.

--
Posted via a free Usenet account from http://www.teranews.com

"Peter B. Steiger" <see.sig@for.email.address> hath wroth:

>On Thu, 07 Jun 2007 18:43:46 +0000, Peter B. Steiger sez:
>> Now that we resolved the problem of my miscommunication with the
>> WRT54GL, I'm ready to move on (after installing dd-wrt!) and put this
>> sucker to use.

>I'll save Jeff the trouble of reposting some excellent advice he gave me
>a couple of months ago when I was first shopping for a wireless router.
>For the benefit of anyone else who stumbles across this thread and has
>similar questions to mine, this response to my "where do I start?" post
>is chock-full o' sage advice, random musings, and links to more sage
>advice:
>http://groups.google.com/group/alt.i...9a0a94cf3f0c05
>
>Since that's an impossibly long URL, here's a shorter one:
>http://tinyurl.com/ywfc6g

Did I write all that? Well, it's my signature at the bottom so I
guess I wrote it. It's amazingly accurate and fairly close to
answering your question. Yeah, I guess it was me.

Basically, you don't need to plug anything into the WAN(internet) port
on the WRT54G. You already have a Linux router and really don't need
another router in series with your network. Just configure the WRT54G
as an access point, disable the DHCP server in the WRT54G, and set the
IP address so it doesn't conflict with the Linux router IP, and
connect a cable to one of the LAN ports on the WRT54G to the LAN side
of the Linux router. Done. I hate to waste all the nifty router
features in DD-WRT, but there's enough in the wireless config to
create sufficient entertainment value.

Also, you might want to look at the wireless features in DD-WRT v24
beta (2007 - 0607). See online v24 simulation at:
<http://www.informatione.gmxhome.de/DDWRT/Standard/V24BetaVPN/index.html>
I'm playing with the EoIP (ethernet over IP) tunnel feature that's
basically a transparent bridge that doesn't re-write MAC addresses,
through an encrypted tunnel. Nice. Much nicer than one IP per VPN
tunnel. Also, multiple SSID's (virtual access points) and "universal
repeater" but I haven't tried those yet.
http://www.dd-wrt.com/wiki/index.php...eless_Repeater

--
Jeff Liebermann jeffl@cruzio.com
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558