A Broadband and ADSL forum. BroadbanterBanter

Welcome to BroadbanterBanter.

You are currently viewing as a guest which gives you limited access to view most discussions and other FREE features. By joining our free community you will have access to post topics, communicate privately with other members (PM), respond to polls, upload your own photos and access many other special features. Registration is fast, simple and absolutely free so please, join our community today.

Go Back   Home » BroadbanterBanter forum » Newsgroup Discussions » uk.telecom.broadband (UK broadband)
Site Map Home Register Authors List Search Today's Posts Mark Forums Read Web Partners

uk.telecom.broadband (UK broadband) (uk.telecom.broadband) Discussion of broadband services, technology and equipment as provided in the UK. Discussions of specific services based on ADSL, cable modems or other broadband technology are also on-topic. Advertising is not allowed.

Using a WAG354G as a wifi AP, with port range blocking



 
 
Thread Tools Display Modes
  #1  
Old October 16th 11, 11:51 AM posted to uk.telecom.broadband
Peter
external usenet poster
 
Posts: 330
Default Using a WAG354G as a wifi AP, with port range blocking

Hi,

I have for some time had this box working, as a simple ethernet-in
wifi AP.

The ethernet side connects to the home LAN.

Now I am trying to block ports 81-442 and 444-65535.

This is to prevent somebody (who has the WPA password, e.g. a guest in
our house) seeing the computers on the LAN. In particular I want to
block the Netbios ports c. 138.

I have done this successfully on a WRT54GC, but it took a huge amount
of fiddling. The two boxes are somewhat similar but not similar
enough.

The 54GC is running in a "Static IP" mode, with DHCP for the wifi
clients.

The 354G has been running in a "Bridge Mode Only" mode, without DHCP
(so the client IPs are allocated by the router on the LAN).

The 354G options are

Bridge Mode Only
RFC1483 Bridged
RFC1483 Routed
RFC2516 PPPOE
RFC2364 PPPOA

In Bridge Mode Only it works but I cannot get the access restrictions
to do anything at all. That part of the config is very similar to the
54GC one, which works OK.

Can anybody suggest anything I might be doing wrong?

Under the PCs, I have set up an IP range of 192.... 1 to 254 so every
possible wifi client should qualify for the block.

Many thanks...
  #2  
Old October 16th 11, 12:27 PM posted to uk.telecom.broadband
Jon
external usenet poster
 
Posts: 16
Default Using a WAG354G as a wifi AP, with port range blocking

Peter wrote...


Hi,

I have for some time had this box working, as a simple ethernet-in
wifi AP.

The ethernet side connects to the home LAN.

Now I am trying to block ports 81-442 and 444-65535.

This is to prevent somebody (who has the WPA password, e.g. a guest in
our house) seeing the computers on the LAN. In particular I want to
block the Netbios ports c. 138.

I have done this successfully on a WRT54GC, but it took a huge amount
of fiddling. The two boxes are somewhat similar but not similar
enough.

The 54GC is running in a "Static IP" mode, with DHCP for the wifi
clients.

The 354G has been running in a "Bridge Mode Only" mode, without DHCP
(so the client IPs are allocated by the router on the LAN).

The 354G options are

Bridge Mode Only
RFC1483 Bridged
RFC1483 Routed
RFC2516 PPPOE
RFC2364 PPPOA

In Bridge Mode Only it works but I cannot get the access restrictions
to do anything at all. That part of the config is very similar to the
54GC one, which works OK.

Can anybody suggest anything I might be doing wrong?

Under the PCs, I have set up an IP range of 192.... 1 to 254 so every
possible wifi client should qualify for the block.

Many thanks...



Can't you just hide your computer on the network?



  #3  
Old October 16th 11, 02:13 PM posted to uk.telecom.broadband
Peter
external usenet poster
 
Posts: 330
Default Using a WAG354G as a wifi AP, with port range blocking


Jon wrote


Can't you just hide your computer on the network?

How?

I do need to access it (and vice versa) from some other computers. All
are ethernet connected together.

I just want to have no network capability to any wifi connected
devices.

As I posted, I already have this working fine on the other wifi AP,
but can't get it working on the 354G. Whatever I do, it either blocks
everything, or apparently nothing.
  #4  
Old October 16th 11, 04:16 PM posted to uk.telecom.broadband
Jon
external usenet poster
 
Posts: 16
Default Using a WAG354G as a wifi AP, with port range blocking

Peter wrote...


Jon wrote


Can't you just hide your computer on the network?

How?



Depends upon your OS - there are several how-to's on the interweb. Dunno if it
works as I've not had a need to do it.

http://www.watchingthenet.com/hide-y...ndows-network-
neighborhood.html

http://www.vistax64.com/tutorials/17...e-network.html

If I thought a visitor was poking into my pc - I'd cut the ****ers connection




I do need to access it (and vice versa) from some other computers. All
are ethernet connected together.

I just want to have no network capability to any wifi connected
devices.

As I posted, I already have this working fine on the other wifi AP,
but can't get it working on the 354G. Whatever I do, it either blocks
everything, or apparently nothing.



  #5  
Old October 16th 11, 08:55 PM posted to uk.telecom.broadband
Phil W Lee
external usenet poster
 
Posts: 482
Default Using a WAG354G as a wifi AP, with port range blocking

Peter considered Sun, 16 Oct
2011 11:51:36 +0100 the perfect time to write:

Hi,

I have for some time had this box working, as a simple ethernet-in
wifi AP.

The ethernet side connects to the home LAN.

Now I am trying to block ports 81-442 and 444-65535.

This is to prevent somebody (who has the WPA password, e.g. a guest in
our house) seeing the computers on the LAN. In particular I want to
block the Netbios ports c. 138.

I have done this successfully on a WRT54GC, but it took a huge amount
of fiddling. The two boxes are somewhat similar but not similar
enough.

The 54GC is running in a "Static IP" mode, with DHCP for the wifi
clients.

The 354G has been running in a "Bridge Mode Only" mode, without DHCP
(so the client IPs are allocated by the router on the LAN).

The 354G options are

Bridge Mode Only
RFC1483 Bridged
RFC1483 Routed
RFC2516 PPPOE
RFC2364 PPPOA

In Bridge Mode Only it works but I cannot get the access restrictions
to do anything at all. That part of the config is very similar to the
54GC one, which works OK.

Can anybody suggest anything I might be doing wrong?

Under the PCs, I have set up an IP range of 192.... 1 to 254 so every
possible wifi client should qualify for the block.

Many thanks...


The problem you have is that you have put them all in the same subnet,
so there is no routing between them - they communicate directly with
each other on the same logical network.

Set up a different block of IP addresses for the dhcp Wifi clients,
with no routing between the two subnets.
Anything you use that does need to reach the local network can be
given an IP on the same subnet as the other private ones, either with
a dhcp reservation or by setting it on the client.
You can either do this by splitting the RFC1918 class C you're already
using into smaller subnets with CIDR ( /25 or /26 would be ok,
although you probably only need /29) or by adding another class C for
them to use.
  #6  
Old October 17th 11, 02:29 PM posted to uk.telecom.broadband
Peter
external usenet poster
 
Posts: 51
Default Using a WAG354G as a wifi AP, with port range blocking


Phil W Lee wrote:

The problem you have is that you have put them all in the same subnet,
so there is no routing between them - they communicate directly with
each other on the same logical network.

Set up a different block of IP addresses for the dhcp Wifi clients,
with no routing between the two subnets.


OK, I get that, many thanks.

That explains why it works on one and not the other.

I still can't see why one cannot simply drop packets with specific
port numbers in them, however. You don't need different subnets for
that.

Anything you use that does need to reach the local network can be
given an IP on the same subnet as the other private ones, either with
a dhcp reservation or by setting it on the client.
You can either do this by splitting the RFC1918 class C you're already
using into smaller subnets with CIDR ( /25 or /26 would be ok,
although you probably only need /29) or by adding another class C for
them to use.


I will enable the DHCP client on that AP and see if that makes the
packet filtering work.
  #7  
Old October 17th 11, 08:18 PM posted to uk.telecom.broadband
Peter
external usenet poster
 
Posts: 330
Default Using a WAG354G as a wifi AP, with port range blocking


Phil W Lee wrote

Set up a different block of IP addresses for the dhcp Wifi clients,
with no routing between the two subnets.


Problem: if the Bridge Mode Only is selected, the DHCP option is
greyed out.

Which of the others would you suggest?
  #8  
Old October 17th 11, 09:29 PM posted to uk.telecom.broadband
Phil W Lee
external usenet poster
 
Posts: 482
Default Using a WAG354G as a wifi AP, with port range blocking

Peter considered Mon, 17 Oct 2011 14:29:34
+0100 the perfect time to write:


Phil W Lee wrote:

The problem you have is that you have put them all in the same subnet,
so there is no routing between them - they communicate directly with
each other on the same logical network.

Set up a different block of IP addresses for the dhcp Wifi clients,
with no routing between the two subnets.


OK, I get that, many thanks.

That explains why it works on one and not the other.

I still can't see why one cannot simply drop packets with specific
port numbers in them, however. You don't need different subnets for
that.


No, but you do need something to be routing between the Wifi and
ethernet segments (which examines and uses the header information in
the IP packets), rather than just bridging (which just throws
everything across).

Anything you use that does need to reach the local network can be
given an IP on the same subnet as the other private ones, either with
a dhcp reservation or by setting it on the client.
You can either do this by splitting the RFC1918 class C you're already
using into smaller subnets with CIDR ( /25 or /26 would be ok,
although you probably only need /29) or by adding another class C for
them to use.


I will enable the DHCP client on that AP and see if that makes the
packet filtering work.


Use a different subnet, like 192,168.2.n instead of 192,168.1.n, and
careful how you set the default gateways.
If there's any firewall capability on the Wifi router, you can use
that to filter on port.
  #9  
Old October 17th 11, 09:56 PM posted to uk.telecom.broadband
alexd
external usenet poster
 
Posts: 1,765
Default Using a WAG354G as a wifi AP, with port range blocking

Peter (for it is he) wrote:

Problem: if the Bridge Mode Only is selected, the DHCP option is
greyed out.

Which of the others would you suggest?


The WAN settings are irrelevant, because the WAN interface on that router is
DSL, and you're not going to be connecting it to anything. Because nothing
will be traversing the WAN on your WAG354G [the wireless and wired ethernet
interfaces on that device are bridged together at L2], none of the access
controls will have any effect. Unless you can get third-party firmware
[routertech, openwrt] onto that device then it's not going to do what you
want it to do.

To do what you want, you either need a new DSL router with guest wireless
access, or get a cheap "cable router", plug the WAN of that into your LAN
and give guests access via the existing DSL router, hiding your stuff behind
NAT or ACLs on the cable router.

--
http://ale.cx/ (AIM:troffasky) )
21:45:38 up 31 days, 2:59, 5 users, load average: 0.00, 0.03, 0.11
"People believe any quote they read on the internet
if it fits their preconceived notions." - Martin Luther King

  #10  
Old October 18th 11, 08:49 AM posted to uk.telecom.broadband
David Woodhouse
external usenet poster
 
Posts: 64
Default Using a WAG354G as a wifi AP, with port range blocking

On Mon, 2011-10-17 at 21:29 +0100, Phil W Lee wrote:
No, but you do need something to be routing between the Wifi and
ethernet segments (which examines and uses the header information in
the IP packets), rather than just bridging (which just throws
everything across).


IP routing will examine and use the information in the IP headers, and
Ethernet bridging will examine and use the information in the Ethernet
headers.

In either case, firewalling and blocking selected traffic will involve
looking at *more* of the packet than would normally be necessary.

There's absolutely no reason why a bridge can't do filtering. See
http://ebtables.sourceforge.net/ for example.

I'm fairly sure the WAG354G runs OpenWRT, even if it doesn't support
ebtables out of the box. So it should be possible to set this up.

But really, I'd just ask the ISP for a new range of IP addresses to use
on the wireless side, and route it instead.

--
dwmw2

 




Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Tiscali port blocking Christof Meerwald uk.telecom.broadband (UK broadband) 5 January 17th 09 08:52 AM
Tiscali port blocking? Hog uk.telecom.broadband (UK broadband) 3 June 25th 07 11:25 PM
UKOnline - details of port blocking? uk.telecom.broadband (UK broadband) 9 May 18th 05 11:36 AM
Is BT blocking port 135? Shaun uk.telecom.broadband (UK broadband) 13 August 20th 03 06:44 PM
Port Blocking on BTBroadband ? Destinations Couriers uk.telecom.broadband (UK broadband) 2 July 4th 03 04:25 PM


All times are GMT +1. The time now is 05:24 AM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.Content Relevant URLs by vBSEO 2.4.0
Copyright 2004-2019 BroadbanterBanter.
The comments are property of their posters.