Suggestions : Wireless Modem Access Point

Alex Satrapa alex at topic.com.au
Wed Dec 12 13:25:18 EST 2001 

On Tuesday, December 11, 2001, at 10:31 , Tom Gallagher wrote:

> Heres my scenario : -
> I am going to buy some wireless LAN cards soon for my small flat (Linux 
> and Win98 desktop PCs + laptop in the future) and I would like to buy a 
> modem access point. I would like a small box that I can sit by my phone 
> socket and then access the internet from any PC in the flat.
> I have looked at the Buffalo airstation range and also the apple 
> airport.

The Apple Airports (I and II) are designed for one specific market - 
home users who want to browse the web.

The Airport doesn't allow inbound connections.

I have a Linux box (called "box") which provides the ADSL connection to 
my house (sorry - I forgot, it's actually running "Windows 98" as far as 
Telstra's concerned).  This machine allows me to SSH in from anywhere, 
and to use PPTP from my office.  Using IPSec was going to require 
getting a bleeding edge kernel, adding patches from a million different 
places, and doing a whole lot more reading at the time than I was happy 
with.

I agree with other posts - if you want an Airport, you'd end up using it 
as a Rolls Royce managed hub. Just enable WEP to prevent accidental 
intrusion, restrict MAC addresses to stop the neighbors accidentally 
getting an address on your network instead of their own, then set the 
hub up as an untrusted network - even less trusted than the Internet.

I would have a setup like this:  Wireless Laptop  <- radio -> Wireless 
Hub <- ethernet -> W-Firewall <- ethernet -> Wired Network <- 
ethernet -> I-Firewall <- dialup/ADSL/cable/pidgeon -> ISP

The W-Firewall could provide services such as DHCP and link/network 
layers such as PPPoE, PPTP, whatever.  The idea being that you don't 
actually route from the wireless network to anywhere. Everywhere else, 
you deny/reject/slash-and-burn packets that originate from the wireless 
network.

Machines on the wireless network should connect using an encrypted 
"network" such as PPPoE using MPPE, PPTP using MPPE, or IPSec to the 
W-Firewall box, which then allows these "secure" connections to send 
packets to other places.

Don't think of the 802.11 card as a "network card" so much as a 
"wireless modem".  You'd at least use CHAP on a dial-up PPP link, why 
not put the same level of access control on your wireless link?

Keep an eye out for neighbours pointing 12cm directional antennae at 
your house, or people in silver-windowed vans parking outside your house 
for 12 hours at a time...

... and don't forget the Black Helicopters who are going to steal your 
secrets anyway, 3072 bit encryption or not.

Alex

More information about the wireless mailing list