Topic: Restricted wireless access

[Rogue]

I currently have SME 6.01-01 with the latest update script additions, and it's working perfectly.

Current configuration is:
DSL Modem - SME Server - Internal LAN - PCs

Currently one of the PCs also acts as a media server for the internal LAN.

What I want to do is provide a wireless AP that only allows access to the media server, with the exception of one MAC/IP address which has full access to internal and external network (my work laptop).

I'm guessing this will involve a few steps:
1. Add 3rd NIC to SME server
2. Add AP attached to 3rd NIC (or possibly modified Enterasys AP card as 3rd NIC)
3. Add additional subnet for 3rd NIC/Wifi interface
4. Configure iptables rules to suit
5. Profit!! (ok, well maybe just a beer to celebrate)

I have a spare NIC and a PCI/PCMCIA adaptor w/ an Enterasys Roamabout card so I can do either option. Where I am really getting lost is on adding the new subnet and configuring the iptables rules.

Any constructive advice? Any better solutions?

[cc_skavenger]

Why couldn't you just add the AP to your lan?

[Rogue]

Why couldn't you just add the AP to your lan?

That would not restrict access from the wireless devices to the external network (and ultimately the internet).

The wireless devices are going to be some media players and a neighbour's PC. The media players have the option for internet radio, which I do not want little fingers to use (Australia has excessive download restrictions and charges). I also do not want my neighbour browsing my other networked PCs, nor using my 'net connection.

I don't mind if the AP is plugged into the internal network switch, to save the need for a third NIC, but I suspect I would not then be able to prevent browsing to the PCs on that network.

[dmajwool]

You could add a second nic to the media server and connect the AP to that.

HTH.
David

[Arnie]

I've been trying to do the same thing for a while now, except I was going to block all traffic from the wifi subnet except pptp, so I could leave the AP unsecured (for ease of configuration) and any laptop connecting to it wouldn't be able to do squat until they VPNed into the SME Server.

The problem is a friendly way to add a 3rd nic. You can do it in a script file, but 2 years later when you migrate to new hardware, you've forgotten where the script is, or how you set it up in the first place etc.

I've been toying with the idea of creating a sub-interface off the LAN nic and doing it that way. That would save having to load nic driver and such. It should be easy enough to do (ifconfig eth0.1 addr ... etc) but I haven't had the time to test it, nor do I know anything about iptables or had time to read the docs on it. I suppose blocking all traffic except protocol 47 should be easy.

Damn having children!

[briank]

I love sme but ipcop now has a fourth "blue"  wireless semi-trusted network ready to go.
You could run your sme server in the ipcop dmz - just a thought.
Regards
brian

[jackl]

Fit a second NIC to your media server, connect this to the AP and enable DHCP on AP, all wireless users should now be able to connect depending on the access control and WEP/WPA settings you set on the AP.
They will not be able to access the wired network as long as you do not bridge the two nics in the media server.


Regards
Jackl

[briank]

Yes - that will work. I have just done this putting a wireless hotspot in for an hotel and we wanted no access to their n/w. As long as there is no bridge it is secure.
Regards
brian

[Rogue]

Thanks everyone for your advice.

Looks like a network reshuffle is in order then. Currently my media server is at the other end of the house from the SME server (which lives in a patch cupboard) and was where I planned to mount the AP.

I'm guessing there is no easy way to do this via the SME server to save me running additional cabling to the media room?

[dmajwool]

If the existing network connection to the media server is 10 or 100 base T on cat5 cable, then it will be using only 4 of the 8 wire cores.
You could add adapters to each end of the cat5 cable to break it out into two sets of rj45 connectors.
HTH.  David

[Rogue]

If the existing network connection to the media server is 10 or 100 base T on cat5 cable, then it will be using only 4 of the 8 wire cores.
You could add adapters to each end of the cat5 cable to break it out into two sets of rj45 connectors.
HTH.  David

I'm currently using adaptors to run phone and data over the same cable, so the satellite receiver modem has connectivity for it's updates, etc.

Looks like it's time to run a new cable (or several, if I'm going to get up there anyway).

[dmajwool]

If putting new cat5 cables in is a real nuisance / expense, you could build a new SME server in the convenient physical location and run the media files and AP from that.
I'm using a mini-ITX machine for my mp3's and squeezeboxes, for example.
HTH  David

[jacomms]

Rouge .... PM me if you r still ripping your hair out over this .....a mate has written a script for this .. I know he wont mind sharing it with you...

[Rogue]

Hi David - physically no room, as everything is already housed in a small (12RU) cabinet at the far end. But it's an interesting suggestion.

jacomms - PMs appear to be disabled, but I would be interested in that script. Any chance you could email to me? scott at hilton dot id dot au