[clug] ... and WiFi access in Civic

Adam Thomas adam.lloyd at gmail.com
Mon Feb 18 07:18:57 GMT 2008


On 18/02/2008, Brad Hards <bradh at frogmouth.net> wrote:
> On Monday 18 February 2008 12:23:48 am Paul Wayper wrote:
> > My suggestion here is to do something similar to what Steve implemented at
> > LCA this year.  We have one network of unsecured WiFi but that is locked
> > down to prevent the more egregious abuses (e.g. no unsecured SMTP), and one
> > WPA-protected WiFi network which people that come along to CLUG meetings
> > can use.  Either hand out the pass phrase at CLUG meetings, recognise
> > specific MAC addresses, or whatever.  But I'd prefer to come up with
> > something that everyone agrees is going to work.
> What is the rationale for this?
>
> In particular, why not just have a single network?
>
> I don't see the need for a protected network, since you have to assume that it
> is potentially hostile anyway (potential compromise of access controls given
> the amount of people that could know it / pass it on / lose the bit of paper;
> and lack of real physical security on the access points).

Would an OpenVPN server running on a firewall allow for network segregation?

When a client connects to the AP the DHCP server gives them an address
in a 192.168.1.0/24 network. The firewall could allow NATed access out
to the net on 80 and 443 from that address range.

If the client then connects to the VPN the DHCP server would give them
another IP in a 192.168.1.0/24 network. The firewall would then allow
open (NATed) access from 192.168.1.0/24 through the VPN device to the
outside network.

Adam


More information about the linux mailing list