Belt and suspenders: Routing the WRT through an existing firewall

Now that we resolved the problem of my miscommunication with the WRT54GL, I'm ready to move on (after installing dd-wrt!) and put this sucker to use.

In all the OEM docs, wikis, Usenet threads, and cave drawings I have seen on the subject they all tell me to plug my ISP's ethernet cable into the wireless router and plug any wired ethernet PCs into the ethernet ports.

What if I don't want to do that? I have a nice software firewall tweaked within an inch of its life using iptables on my Linux server, so I'd like to assign the wireless router a static IP address and plug it into my existing network switch controlled by the Linux box, like this:

[MY ISP] | [LINUX ETH1] | (iptables firewall) | [LINUX ETH0] | (wired network switch) | | | | Linksys PC PC PC . . . My laptops

My thinking is, that will ensure that not only will iptables do all the firewall stuff before any nasties start floating through the air, but it will also ensure that only computers on my LAN subnet will even be able to talk to the Linksys.

Does that make sense, or is it an unnecessary extra layer of complication borne of my complete ignorance of wireless networking? I trust your judgement, Reb Liebermann... if you say dd-wrt's firewall is sufficient, I'll go with the standard configuration and stop obsessing over iptables.

Reply to
Peter B. Steiger
Loading thread data ...

Mostlikely, a competent NAT firewall will do it for you; I know it does for me, as tested periodically with the help of

formatting link

Then you can devote resources to deal with stuff that comes in as attachments, etc., rather than obsess over direct IP-borne attacks. :')

J
Reply to
barry

On Thu, 07 Jun 2007 18:43:46 +0000, Peter B. Steiger sez:

I'll save Jeff the trouble of reposting some excellent advice he gave me a couple of months ago when I was first shopping for a wireless router. For the benefit of anyone else who stumbles across this thread and has similar questions to mine, this response to my "where do I start?" post is chock-full o' sage advice, random musings, and links to more sage advice:

formatting link
Since that's an impossibly long URL, here's a shorter one:
formatting link

Reply to
Peter B. Steiger

"Peter B. Steiger" hath wroth:

Did I write all that? Well, it's my signature at the bottom so I guess I wrote it. It's amazingly accurate and fairly close to answering your question. Yeah, I guess it was me.

Basically, you don't need to plug anything into the WAN(internet) port on the WRT54G. You already have a Linux router and really don't need another router in series with your network. Just configure the WRT54G as an access point, disable the DHCP server in the WRT54G, and set the IP address so it doesn't conflict with the Linux router IP, and connect a cable to one of the LAN ports on the WRT54G to the LAN side of the Linux router. Done. I hate to waste all the nifty router features in DD-WRT, but there's enough in the wireless config to create sufficient entertainment value.

Also, you might want to look at the wireless features in DD-WRT v24 beta (2007 - 0607). See online v24 simulation at:

I'm playing with the EoIP (ethernet over IP) tunnel feature that's basically a transparent bridge that doesn't re-write MAC addresses, through an encrypted tunnel. Nice. Much nicer than one IP per VPN tunnel. Also, multiple SSID's (virtual access points) and "universal repeater" but I haven't tried those yet.

formatting link

Reply to
Jeff Liebermann

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.