[User] subnets

Marc Bejarano openwireless.org at beej.org
Mon Feb 9 12:57:19 PST 2015 

hi ranga,

thanks for your detailed explanation.  it makes sense :)  i'm not 100%
convinced the troubleshooting benefits outweigh the configuration
complexity to get commonly used home networked appliances working, but
i'm happy to persevere to see if we can get there.

i made the avahi-daemon.conf change you suggested and this seems to
have fixed printing from Private WiFi to LAN for me.

unfortunately, i'm still unable to control my Sonos system from
Private WiFi.  https://ask.sonos.com/sonos/topics/sonos_across_multiple_ip_subnets
suggests i'll need to get multicast working between the Private WiFi
and LAN segments.

do you know how to get multicast packets forwarded between the two segments?

thanks,
marc

On Wed, Jan 14, 2015 at 6:18 PM, Ranganathan Krishnan <rk at selwastor.com> wrote:
> Hi Marc,
>
>   The isolation of LAN, Private WiFi and OpenWireless WiFi into three
> separate network segments is something we inherited from CeroWRT. The
> rationale behind this, is that by routing traffic between these segments rather
> than bridging, we can use the firewall, queuing and traffic shaping rules on
> traffic flows between these segments. That seemed like the right design
> choice, so I continued with what CeroWRT had done.
>
>  We use firewall rules to account for traffic between these two segments
> and the Internet separately. Hence on the dashboard we are able to show
> separate uplink/downlink data rates for these two segments. This can help with
> debugging performance problems that people are experiencing (since often
> this can be due to WiFi, rather than the ISP). If we bridged the two segments
> we would not be able to separate the traffic and provide better diagnostics.
> We currently do not have any rules restricting IP packet movement between
> the Private WiFi and LAN segments. The two networks are currently at the
> same privilege level.  We have taken advantage of the network segmentation
> to place restrictions on IP packet movement between the openwireless WiFi
> segment and Private WiFi/LAN. In the future we could put in rules placing
> restrictions on traffic movement between LAN and Private WiFi if it makes
> sense.
>
> Unless bridging is really important to you, I'd suggest sticking with the
> design we have and making the changes on the router needed to allow
> devices and applications on the two different segments to talk to each other.
> There is IETF effort to make multiple segments work well for people in the
> home (HNET wg etc) so this approach will be feasible and a preferred way
> going forward.
>
> Cheers,
> Ranga
>
> On Jan 13, 2015, at 12:13 PM, Marc Bejarano <openwireless.org at beej.org> wrote:
>
>> hi ranga,
>>
>> sorry for the delayed reply.  i haven't tested your proposed solution
>> to the problem, but before i do, i want to understand the pros of it
>> versus what i see to be the more obvious solution.
>>
>> every retail wireless router i've come across defaults to bridging the
>> LAN and Wi-Fi "segments".  is it a conscious decision on your part to
>> not do this?  if so, to what end?
>>
>> i see the con to having two separate subnets for LAN and Private Wi-Fi
>> as needlessly complicating things and breaking assumptions that many
>> environments have about home Wi-Fi networks.
>>
>> cheers,
>> marc
>>
>> On Wed, Dec 10, 2014 at 7:05 PM, Ranga Krishnan <ranga at eff.org> wrote:
>>>
>>> Hi Marc,
>>>
>>> We do allow for traffic forwarding between the private WiFi and
>>> LAN networks. As you note the service discovery does not work
>>> across these two network segments. I think it would make sense
>>> to enable that in the future. It is possible to do that by enabling
>>> the reflector mode in the avahi-daemon running on the router.
>>>
>>> I haven't tested it but in principle, here is what you need to do.
>>> SSH into the router and then
>>>
>>> 1.   #     vi /etc/avahi/avahi-daemon.conf
>>>
>>> 2. change 'enable-reflector'  value to yes
>>>
>>> enable-reflector=yes
>>>
>>> 3. Restart avahi
>>>
>>> # /etc/init.d/avahi-daemon restart
>>>
>>> I think your devices in LAN and Private WiFi should now be
>>> able to discover each other, but as I said I haven't tested it.  I also
>>> need to verify that no further interface restrictions are needed to
>>> make this secure.
>>>
>>> If you are willing to test and verify that this works and submit a
>>> pull request, I can include it in the upcoming alpha release.
>>>
>>> Cheers,
>>> Ranga
>>>
>>>
>>>
>>> On Dec 10, 2014, at 6:17 PM, Marc Bejarano <openwireless.org at beej.org>
>>> wrote:
>>>
>>> hello BOFH,
>>>
>>> from a security perspective, that's "da fault". it is perhaps just me, but
>>> i'm thinking the "lan" is one interface, and "wifi" another.  having a
>>> 'global' exposure in tandem with a more trusted "local" network, is asking
>>> for trouble.
>>>
>>>
>>> i thought the design of this system was to have two private interfaces
>>> (one wi-fi and one lan) and a separate public wi-fi network.  are you
>>> one of the developers working on the open wireless firmware?  if not,
>>> i'd love it if one would chime in.
>>>
>>> cheers,
>>> marc
>>> _______________________________________________
>>> User mailing list
>>> User at openwireless.org
>>> http://openwireless.org/mailman/listinfo/user
>>>
>>>
>> _______________________________________________
>> User mailing list
>> User at openwireless.org
>> http://openwireless.org/mailman/listinfo/user
>

More information about the User mailing list