[Firehol-support] Firehol centralised on router with Wifi AP
Kjetil Kjernsmo
kjetil at kjernsmo.net
Tue Sep 13 22:12:46 BST 2016
Hi Costa, thanks a lot for your response!
On Tuesday 13. September 2016 23.55.53 Tsaousis, Costa wrote:
> Kjetil, quite a complex setup.
Yeah, at least for a home network :-)
> I don't know how to help you, but here are a few things that might help
> you decide:
>
> First, please update your firehol. It is way too old. Firehol and
> fireqos are just a bash scripts. So, updating should be very easy.
Yeah, I know... And 2.0.0 just barely missed Debian Jessie, which was a
pity. I tend to stick the the distro packages, since it creates an
unchanging base to work with.
Are there any security risks associated with running this old version? I
would suppose no, since iptables is the part facing possible attackers?
> MARKs do not leave the host. So, you cannot MARK on one host and examine
> that MARK on another.
Ah, OK, I feared that.
> Most people that support different security policies on different SSIDs,
> do it with VLANs, so that each SSID uses a different VLAN. Of course
> your AP has to support this.
>
> On Linux VLANs are like separate virtual interfaces. You are going to
> have vlan0, vlan1, vlan2, etc. If your AP can do it, this is the way to
> go. At your firewall you will have SSID1 clients on vlan1 and SSID2
> clients on vlan2. Of course you will have to configure your DHCP server
> to respond on both VLANs.
Aha! That is very interesting. I've seen that my AP can run off OpenWRT
easily, so I could flash it, but I also found some documentation for the
firmware on it:
https://help.ubnt.com/hc/en-us/articles/204962144-UniFi-How-does-VLAN-traffic-get-tagged-
So this sounds like the right way to go, indeed! Thanks a lot! I'll read
up on this.
Kjetil
More information about the Firehol-support
mailing list