[Firehol-support] Firehol centralised on router with Wifi AP

Kjetil Kjernsmo kjetil at kjernsmo.net
Tue Sep 13 22:12:46 BST 2016


Hi Costa, thanks a lot for your response!

On Tuesday 13. September 2016 23.55.53 Tsaousis, Costa wrote:
> Kjetil, quite a complex setup.

Yeah, at least for a home network :-)

> I don't know how to help you, but here are a few things that might help
> you decide:
> 
> First, please update your firehol. It is way too old. Firehol and
> fireqos are just a bash scripts. So, updating should be very easy.

Yeah, I know... And 2.0.0 just barely missed Debian Jessie, which was a 
pity. I tend to stick the the distro packages, since it creates an 
unchanging base to work with. 

Are there any security risks associated with running this old version? I 
would suppose no, since iptables is the part facing possible attackers?

> MARKs do not leave the host. So, you cannot MARK on one host and examine
> that MARK on another.

Ah, OK, I feared that.

> Most people that support different security policies on different SSIDs,
> do it with VLANs, so that each SSID uses a different VLAN. Of course
> your AP has to support this.
> 
> On Linux VLANs are like separate virtual interfaces. You are going to
> have vlan0, vlan1, vlan2, etc. If your AP can do it, this is the way to
> go. At your firewall you will have SSID1 clients on vlan1 and SSID2
> clients on vlan2. Of course you will have to configure your DHCP server
> to respond on both VLANs.

Aha! That is very interesting. I've seen that my AP can run off OpenWRT 
easily, so I could flash it, but I also found some documentation for the 
firmware on it: 
https://help.ubnt.com/hc/en-us/articles/204962144-UniFi-How-does-VLAN-traffic-get-tagged-
So this sounds like the right way to go, indeed! Thanks a lot! I'll read 
up on this.

Kjetil




More information about the Firehol-support mailing list