[User] subnets

Ranganathan Krishnan rk at selwastor.com
Wed Jan 14 18:18:08 PST 2015 

Hi Marc,

  The isolation of LAN, Private WiFi and OpenWireless WiFi into three
separate network segments is something we inherited from CeroWRT. The 
rationale behind this, is that by routing traffic between these segments rather 
than bridging, we can use the firewall, queuing and traffic shaping rules on 
traffic flows between these segments. That seemed like the right design 
choice, so I continued with what CeroWRT had done. 

 We use firewall rules to account for traffic between these two segments 
and the Internet separately. Hence on the dashboard we are able to show 
separate uplink/downlink data rates for these two segments. This can help with 
debugging performance problems that people are experiencing (since often 
this can be due to WiFi, rather than the ISP). If we bridged the two segments 
we would not be able to separate the traffic and provide better diagnostics. 
We currently do not have any rules restricting IP packet movement between 
the Private WiFi and LAN segments. The two networks are currently at the 
same privilege level.  We have taken advantage of the network segmentation 
to place restrictions on IP packet movement between the openwireless WiFi 
segment and Private WiFi/LAN. In the future we could put in rules placing 
restrictions on traffic movement between LAN and Private WiFi if it makes 
sense. 

Unless bridging is really important to you, I'd suggest sticking with the 
design we have and making the changes on the router needed to allow 
devices and applications on the two different segments to talk to each other. 
There is IETF effort to make multiple segments work well for people in the 
home (HNET wg etc) so this approach will be feasible and a preferred way 
going forward. 

Cheers,
Ranga

On Jan 13, 2015, at 12:13 PM, Marc Bejarano <openwireless.org at beej.org> wrote:

> hi ranga,
> 
> sorry for the delayed reply.  i haven't tested your proposed solution
> to the problem, but before i do, i want to understand the pros of it
> versus what i see to be the more obvious solution.
> 
> every retail wireless router i've come across defaults to bridging the
> LAN and Wi-Fi "segments".  is it a conscious decision on your part to
> not do this?  if so, to what end?
> 
> i see the con to having two separate subnets for LAN and Private Wi-Fi
> as needlessly complicating things and breaking assumptions that many
> environments have about home Wi-Fi networks.
> 
> cheers,
> marc
> 
> On Wed, Dec 10, 2014 at 7:05 PM, Ranga Krishnan <ranga at eff.org> wrote:
>> 
>> Hi Marc,
>> 
>> We do allow for traffic forwarding between the private WiFi and
>> LAN networks. As you note the service discovery does not work
>> across these two network segments. I think it would make sense
>> to enable that in the future. It is possible to do that by enabling
>> the reflector mode in the avahi-daemon running on the router.
>> 
>> I haven't tested it but in principle, here is what you need to do.
>> SSH into the router and then
>> 
>> 1.   #     vi /etc/avahi/avahi-daemon.conf
>> 
>> 2. change 'enable-reflector'  value to yes
>> 
>> enable-reflector=yes
>> 
>> 3. Restart avahi
>> 
>> # /etc/init.d/avahi-daemon restart
>> 
>> I think your devices in LAN and Private WiFi should now be
>> able to discover each other, but as I said I haven't tested it.  I also
>> need to verify that no further interface restrictions are needed to
>> make this secure.
>> 
>> If you are willing to test and verify that this works and submit a
>> pull request, I can include it in the upcoming alpha release.
>> 
>> Cheers,
>> Ranga
>> 
>> 
>> 
>> On Dec 10, 2014, at 6:17 PM, Marc Bejarano <openwireless.org at beej.org>
>> wrote:
>> 
>> hello BOFH,
>> 
>> from a security perspective, that's "da fault". it is perhaps just me, but
>> i'm thinking the "lan" is one interface, and "wifi" another.  having a
>> 'global' exposure in tandem with a more trusted "local" network, is asking
>> for trouble.
>> 
>> 
>> i thought the design of this system was to have two private interfaces
>> (one wi-fi and one lan) and a separate public wi-fi network.  are you
>> one of the developers working on the open wireless firmware?  if not,
>> i'd love it if one would chime in.
>> 
>> cheers,
>> marc
>> _______________________________________________
>> User mailing list
>> User at openwireless.org
>> http://openwireless.org/mailman/listinfo/user
>> 
>> 
> _______________________________________________
> User mailing list
> User at openwireless.org
> http://openwireless.org/mailman/listinfo/user

More information about the User mailing list