Re: How to set my MAC address

On 4/7/06 22:48, in article
1hhzevb.19tq49sh8vsw5N%usenet@xxxxxxxxxxxxxxxxxxxxxxxxxxx, "James Taylor"
<usenet@xxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote:

Bonge Boo! <bingbong@xxxxxxxxxxx> wrote:

James Taylor wrote:

Are you familiar with setting up VLANs on Draytek routers? It was only
because the VLAN isolation fails between the wifi side and the wired
ports that I started experimenting with the 2nd subnet feature. However
the latter doesn't seem to work by any definition that makes sense to
me. I'd love to know what the 2nd subnet actually *is* for given that
hosts in that subnet don't seem to be able to make outbound connections.
Maybe there's some subtlety of the routing table I've missed.

Sakl may correct me on this....

Erm. Forgive me for being stupid, but in the Vigor2600 I'm looking at here,
there is no option to isolate the wireless from the VLAN. VLAN only works on
the wired ports.

Yes, the VLAN isolation only works between the wired ports, but
discovering it was *that* broken was a revelation to me. I found that
wireless traffic is repeated on *all* the wired ports regardless of the
VLAN configuration. That's pretty silly if you ask me. If you're in a
situation where segregation between two LANs is important, then
whichever side uses the ultra-secure encrypted wifi is simply giving
away all their secrets over the other guy's LAN, and worst of all they'd
have no way of telling unless they were able to monitor the other guy's
LAN and spot their own traffic on it. I don't think Draytek gave this
much thought. In fact I'd class this as a serious design flaw.

Err. No. I think you're misunderstanding the VLAN function. Its not broken.
Its not designed to do what you are trying to do.

Why isn't the wifi interface listed as one of the possible ports to
assign to a particular VLAN? Even with the current interface I would
expect the wifi traffic to be isolated from any wired ports that were
themselves in a VLAN.

Just because you want it to do something, doesn't mean it does...

You can isolate the WLAN from the LAN globally or on a per MAC basis, or do
fun stuff like insist WLAN users connect via VPN to get LAN access.

Yes, I saw those features in the Wireless Access Control page, but no
matter what I tried I couldn't stop wireless traffic leaking onto the
wired side. The features just don't seem to actually work!

To put you in the picture, here's what I'm trying to do. I am trying to
share the high cost of ADSL out here in Thailand with other westerners
living in the neighbouring beach houses. And, so that I don't have to
give out the password of my own wifi network, I am using an AirPort
Express to provide their network separately from the Draytek's wifi that
I'm using. The AirPort is therefore cabled to one of the Draytek's LAN
ports. I've also removed the two aerials from the Draytek to reduce its
range so that it just covers my house.

Seems sensible. Apart from removing your aerials. Trust your encryption.

I thought I'd be able to place the AirPort's connection in a VLAN so the
neighbours wouldn't be able to sniff my traffic or mount our shares, and
their worms/virues wouldn't be able to scan or attack mine or my
girlfriend's laptops. The outdoor lifestyle here would make a wired
connection to our laptops prohibitively inconvenient, so we'll certainly
be using wifi.

Seems a good plan

At the moment I have the AirPort in NAT mode, which at least prevents
the neighbours sniffing my network. However, this isn't ideal because
then all the neighbours will appear as one address and I won't be able
to distinguish their machines. I want to be able to put the AirPort in
bridge mode so that each machine is distinguishable. Doing this means
that I can diagnose which machine has a worm, or identify who's hogging
all the bandwidth, or spot rogue clients connecting to the network, etc.
I can use the Draytek's ARP cache or even its DHCP lease table to spot
unauthorised access such as one of the neighbours giving out the
password to their friends, and them giving it out to their friends until
I have a bandwidth filching commune sitting on the beach in front of my
house. Well, okay, that's not likely perhaps, but I want to be able to
tell what's going on on my network, after all, it'll be my door that the
Feds knock down when some nefarious activity is discovered. Hmmm, now
that I think about it, plausible deniability has its benefits too. ;-)

Does the AE have the option for MAC address filtering? That with a network
key should stop all the but the most determined hacking, which you can stop
anyway. As for all the "management" stuff, do you really want the hassle?

Anyway, when I tried enabling the "Isolate WLAN from LAN" feature, the
Draytek just kicked our laptops off the wireless network, and all
attempts to reconnect resulted in MacOSX giving the singularly most
unhelpful error message I've ever seen, "There was an error connecting
to the network" or similar. I went looking for messages in the various
log files but couldn't find anything relevant. Perhaps I was looking in
the wrong place. Where on earth are the wifi related logs?

Dunno. When you say "kick-off" do you mean you could ping the gateway or
other WLAN users?

Using an ethernet cable I was able to return to the Draytek's Wireless
Access Control screen. I then tried setting the "s" flag ("Isolate the
station from LAN") on the wifi MAC addresses of our laptops so that we'd
be isolated that way instead. This did allow us to reconnect wirelessly
but unfortunately I could *still* monitor broadcast traffic leaking onto
the LAN. None of the security features seem to work! It's astonishing!

You may be right. Email them.

It was around this time that I started playing with the 2nd subnet
feature in the hope that this would prevent broadcast traffic leaking
across. I also thought I might be able to use the packet filtering rules
in the firewall section to block traffic being routed between the two
subnets whilst letting both sides access the Internet. However, I never
got that far because as soon as I set up the 2nd subnet (on the private
class C network 192.169.2.*) along with the MAC addresses it uses to
identify our laptops and place them in that subnet, I found that I
couldn't access anything at all including the Draytek's admin front end,
and furthermore, because I had optimistically entered our ethernet MAC
addresses at the same time, I had no way to get back into the Draytek.
Disaster!

Not ideal. But like every good geek you of course had a backup of your
working settings before playing about?

The 2nd subnet enables you to set the router to serve both a public and
private network for devices attached to the router.

Assume the external address is:

210.111.234.100

And you've bought a block of IPs from 210.111.234.101-254

Draytek also give this kind of example, with the 2nd subnet using
publicly allocated addresses, but it seems to me to be a rather narrow
and unlikely thing to need. Isn't it possible to use the 2nd subnet as a
private internal network behind NAT just like the 1st subnet?

Lots of business might need this kind of setup. Buy a block of 8 IPs, run
your servers on those public addresses, then have the rest of your machiens
on the NAT side.

And not as far as the docs suggest.

Then you can have devices attached that use that range of addresses, using
the gateway address of the external IP to find the outside world.

How can you have a gateway address that's NOT on the current subnet?
Surely any packet addressed to somewhere not on the subnet must first be
sent to the gateway and, oops, the gateway isn't on the subnet so first
you must send the packet to the gateway... etc... etc...

You can't.

Have I misunderstood something?

Don't think so.

The machines on your private network behind the NAT are in whatever public
network range you choose, using the private IP address of the router as the
gateway.

I think I've been struggling with this network configuration for too
long and I'm tired otherwise I might understand what you're saying. Of
course, I might just be going senile. Either way, you've lost me. I'm
particularly confused by what you mean by private and public in this
context. Are we talking about the 1st or 2nd subnet?

1st.

I got the impression that the Draytek treats the 1st and 2nd subnets
very differently. I'm not at all sure whether it is performing NAT on
the 2nd subnet, and I'm not clear what difference the "For IP Routing
Usage: Enable/Disable" setting if for.

I might be wrong, but the router manual seems quite explicit. The 2nd subnet
does NOT perform NAT. Hence you need to use Ips from the public pool.

.

Relevant Pages

  • Re: VLANS and subnetting
    ... every VLAN has to be a seperate subnet. ... still talk to the ISP core switch as it were a / 24 network. ...
    (comp.dcom.lans.ethernet)
  • Re: VLANS and subnetting
    ... every VLAN has to be a seperate subnet. ... still talk to the ISP core switch as it were a / 24 network. ...
    (comp.dcom.lans.ethernet)
  • Re: How to set my MAC address
    ... because the VLAN isolation fails between the wifi side and the wired ... ports that I started experimenting with the 2nd subnet feature. ... there is no option to isolate the wireless from the VLAN. ... give out the password of my own wifi network, ...
    (uk.comp.sys.mac)
  • Re: Windows Server 2003 R2 x64 RRAS seems to be limiting connectio
    ... the 192.168.17.0 network is a mixture of wired ... The route on the ADSL modem is to ensure that the default gateway knows where to send packets for LAN2 ... There is no WiFi on LAN2 but wired connections on the 192.168.11.0 subnet work with no issue. ... It's only when I'm connected to the 192.168.17.0 subnet that I have a problem; hence the reason I suspect my RRAS config. ...
    (microsoft.public.win2000.ras_routing)
  • Re: VLANS and subnetting
    ... I have a link coming over Cat6, from ISP to my switch. ... Network ... every VLAN has to be a seperate subnet. ...
    (comp.dcom.lans.ethernet)