BroadbanterBanter

BroadbanterBanter (http://www.broadbandbanter.co.uk/forum.php)
-   uk.telecom.broadband (UK broadband) (http://www.broadbandbanter.co.uk/uk-telecom-broadband-uk-broadband/)
-   -   How many subnets in a typical McDonalds? (http://www.broadbandbanter.co.uk/44458-how-many-subnets-typical-mcdonalds.html)

Adrian Caspersz July 16th 17 11:08 PM

How many subnets in a typical McDonalds?
 
If I wander in there with n devices connected to their wifi, can the
interfaces talk to each other as well as the net?

I'm hoping the answer is no... as I'm dreaming up a shared internet
facility trying to keep student users roughly isolated on a simple
switch (no VLAN support).

Current plan is multiple DHCP leases, all individually on their own
local lan subnets, each subnet connected to the internet but nowhere else.

Does anyone do an out-of-the-box software build for this DHCP that runs
on a rPI? Extra points if it has a nice GUI....

.... or I'll have to sit down and script one for DNSmasq :(

--
Adrian C

Graham J[_2_] July 16th 17 11:21 PM

How many subnets in a typical McDonalds?
 
Adrian Caspersz wrote:
If I wander in there with n devices connected to their wifi, can the
interfaces talk to each other as well as the net?

I'm hoping the answer is no... as I'm dreaming up a shared internet
facility trying to keep student users roughly isolated on a simple
switch (no VLAN support).

Current plan is multiple DHCP leases, all individually on their own
local lan subnets, each subnet connected to the internet but nowhere else.

Does anyone do an out-of-the-box software build for this DHCP that runs
on a rPI? Extra points if it has a nice GUI....

... or I'll have to sit down and script one for DNSmasq :(



A 32-bit subnet mask should solve the problem ...

-- Graham J




Andy Burns[_5_] July 16th 17 11:26 PM

How many subnets in a typical McDonalds?
 
Graham J wrote:

Adrian Caspersz wrote:

If I wander in there with n devices connected to their wifi, can the
interfaces talk to each other as well as the net?


A 32-bit subnet mask should solve the problem ...


But how's he going to control what subnet mask McDonalds issue to their
customers?

Graham J[_2_] July 16th 17 11:49 PM

How many subnets in a typical McDonalds?
 
Andy Burns wrote:
Graham J wrote:

Adrian Caspersz wrote:

If I wander in there with n devices connected to their wifi, can the
interfaces talk to each other as well as the net?


A 32-bit subnet mask should solve the problem ...


But how's he going to control what subnet mask McDonalds issue to their
customers?



It's not MacDonalds that is the issue - it is his own DHCP server. He
needs one that is properly configureable so that IP addresses are issued
from a defined scope but with a 32-bit subnet mask. Unlikely he can do
that in a basic router, so he needs a proper DHCP server.

I don't know what MacDonalds do, but most PC or Mac devices need
something other than the TCP/IP stack to actually make themselves
visible to applications; and these are often disabled by default on
networks defined (by the user, usually by default) as public.

But ultimately network security is a matter for the user, not for the
provider of the internet connection.


-- Graham J


Adrian Caspersz July 16th 17 11:50 PM

How many subnets in a typical McDonalds?
 
On 16/07/17 22:26, Andy Burns wrote:
Graham J wrote:

Adrian Caspersz wrote:

If I wander in there with n devices connected to their wifi, can the
interfaces talk to each other as well as the net?


A 32-bit subnet mask should solve the problem ...



But how's he going to control what subnet mask McDonalds issue to their
customers?


Nope, that was a badly put example.

Mcdonalds would be giving each user a publicly allocated IP address. No
NAT and hence 32-bit mask.

I'm (cheapskate) using NAT from an single issued public IP address, and
trying to fit multiple users to that. So multiple subnets with a 30-bit
mask as I'll need the broadcast IP as well as the host/client.

(If I've understood this right..)

--
Adrian C

Andy Furniss July 17th 17 01:26 AM

How many subnets in a typical McDonalds?
 
Adrian Caspersz wrote:
If I wander in there with n devices connected to their wifi, can the
interfaces talk to each other as well as the net?


I think they would use client isolation on their access point which
probably works at mac level rather than IP.

I'm hoping the answer is no... as I'm dreaming up a shared internet
facility trying to keep student users roughly isolated on a simple
switch (no VLAN support).


Not wireless then? So they won't really be isolated if one of them wants
to subvert your set up.

Current plan is multiple DHCP leases, all individually on their own
local lan subnets, each subnet connected to the internet but nowhere
else.
Does anyone do an out-of-the-box software build for this DHCP that
runs on a rPI? Extra points if it has a nice GUI....

... or I'll have to sit down and script one for DNSmasq :(


Henry Law July 17th 17 08:03 AM

How many subnets in a typical McDonalds?
 
On 16/07/17 22:08, Adrian Caspersz wrote:
If I wander in there with n devices connected to their wifi, can the
interfaces talk to each other as well as the net?

I'm hoping the answer is no... as I'm dreaming up a shared internet
facility trying to keep student users roughly isolated on a simple
switch (no VLAN support).


The small community centre for which I'm "IT manager" (who I manage
other than myself I'll leave as an exercise) has a Cisco small-business
router at the heart of the network. It supports multiple VLANs and in
the definition of each there's a tick box which enables or disables the
ability for any host on that VLAN to see any other. With that facility
enabled all that a visitor's phone or laptop, connected casually by
wifi, can see is the router itself for the purpose of connecting to the
internet.

Would that facility meet your need?

--
Henry Law n e w s @ l a w s h o u s e . o r g
Manchester, England

[email protected][_2_] July 17th 17 10:07 AM

How many subnets in a typical McDonalds?
 
On 16/07/2017 22:08, Adrian Caspersz wrote:
If I wander in there with n devices connected to their wifi, can the
interfaces talk to each other as well as the net?

I'm hoping the answer is no... as I'm dreaming up a shared internet
facility trying to keep student users roughly isolated on a simple
switch (no VLAN support).

Current plan is multiple DHCP leases, all individually on their own
local lan subnets, each subnet connected to the internet but nowhere else.

Does anyone do an out-of-the-box software build for this DHCP that runs
on a rPI? Extra points if it has a nice GUI....

... or I'll have to sit down and script one for DNSmasq :(


Its virtually impossible to secure the wireless side.
You can make it more difficult but someone with the will and knowledge
can break it in a matter of seconds to hours depending on what you setup.

There is nothing you can do to stop people monitoring the wireless and
its easy to crack the current encryption standards.


If you want security you *need* to only allow access to a VPN server
with strong encryption. Then the server rules determine who can access what.


If all you want to do is stop wireless clients talking to each other
then look for an AP that has a setting to prevent this. My old netgear
had such a setting. Once set clients could only see the wired side and
not other wireless clients.

You probably need to download the manual and look as its doesn't appear
as a feature in the sales stuff on many AP.

Johnny B Good July 17th 17 11:55 AM

How many subnets in a typical McDonalds?
 
On Mon, 17 Jul 2017 09:07:23 +0100, [email protected] wrote:

On 16/07/2017 22:08, Adrian Caspersz wrote:
If I wander in there with n devices connected to their wifi, can the
interfaces talk to each other as well as the net?

I'm hoping the answer is no... as I'm dreaming up a shared internet
facility trying to keep student users roughly isolated on a simple
switch (no VLAN support).

Current plan is multiple DHCP leases, all individually on their own
local lan subnets, each subnet connected to the internet but nowhere
else.

Does anyone do an out-of-the-box software build for this DHCP that runs
on a rPI? Extra points if it has a nice GUI....

... or I'll have to sit down and script one for DNSmasq :(


Its virtually impossible to secure the wireless side.
You can make it more difficult but someone with the will and knowledge
can break it in a matter of seconds to hours depending on what you
setup.

There is nothing you can do to stop people monitoring the wireless and
its easy to crack the current encryption standards.


If you want security you *need* to only allow access to a VPN server
with strong encryption. Then the server rules determine who can access
what.


If all you want to do is stop wireless clients talking to each other
then look for an AP that has a setting to prevent this. My old netgear
had such a setting. Once set clients could only see the wired side and
not other wireless clients.

You probably need to download the manual and look as its doesn't appear
as a feature in the sales stuff on many AP.


The Tweepadock in the room is that this by itself won't prevent an
enterprising hacker from using a laptop as a fake AP in order to run a
MITM intercept operation.

--
Johnny B Good

Theo[_2_] July 17th 17 12:41 PM

How many subnets in a typical McDonalds?
 
In uk.telecom.broadband Adrian Caspersz wrote:
Nope, that was a badly put example.

Mcdonalds would be giving each user a publicly allocated IP address. No
NAT and hence 32-bit mask.


I very much doubt they've giving public IPv4s - there aren't enough to go
around. The only time I recall being given a public IPv4 for wifi is at a
company that has a class A (16 million addresses). (Globally-addressed
IPv6s are easy)

However, this is entirely orthogonal to the setup - you can do exactly the
same setup with a public class A as with 10.0.0.0/8 - just in the latter
case somewhere down the road needs to be a NAT if you want internet access.

On the same SSID, I think you can configure the layer 2 switch to block
inter-station communication, ie everything is point to point with the access
point. Then you configure (DHCP) each client in layer 3 with a /32, telling
it its default route is to some other IP (which can't be on the same subnet
because a /32 contains one address). That means all traffic will be sent to
that IP, which can either NAT the packet if it's for the internet, or drop
it if it's for some other client.

I've never tried this, but I think it then avoids the problem of having a
ginormous routing table of tiny subnets.

Theo


All times are GMT +1. The time now is 07:07 AM.

Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 2.4.0
Copyright © 2004-6 BroadbandBanter.co.uk