On Montag 21 November 2005 10:51, Ludwig Nussel wrote:
David Huecking wrote:
Now I added a wireless-card for the router also acting as a wireless access-point: - ath0 is interface of wireless-card running in hostap-mode Then I build a bridge-interface from eth0 and ath0 and gave it the former IP of eth0. - br0 bridge made of ath0 and eth0 Routing from the wired and wireless clients to the internet works like a charm. What does not work ist bridging from physical interface eth0 to ath0 so that I can reach my server attached to the LAN-switch from my wireless notebook. I get logging-entries like that: SFW2-FWDint-DROP-DEFLT IN=br0 OUT=br0 PHYSIN=eth0 PHYSOUT=ath0 SRC=192.168.42.6 DST=192.168.42.2
Could anybody tell me what to write into /etc/sysconfig/SUSEFirewall2 or in /etc/sysconfig/scripts/SuSEfirewall2-custom to accept packets crossing my bridge.
I don't have such a setup myself so I can't help you here. I wouldn't use bridging with the LAN though. With newer SuSEfirewall2 you can define a new zone for the WLAN and then use normal routing for WLAN-Inet and WLAN-LAN. You can also abuse the DMZ rules for that purpose if you don't have a real DMZ.
cu Ludwig
I changed the setup a bit and do use now an external access-point attached to another ethernet-interface (eth2) instead of an internal wireless-card (ath0) and solved the problem like this: Build the bridge using eth0 and eth2 and gave it the former IP-address of eth0. In /etc/sysconfig/SuSEFirewall2: FW_DEV_INT="br0" FW_ALLOW_CLASS_ROUTING="yes" This works for me. _BUT_ this does not provide any security from SuSEfirewall2 in any way. It just makes the WLAN hosts appear like normal wired hosts in the LAN. Both types have the same IP-range. The only advantage compared to attaching an accesspoint directly to you ethernet-switch is, that you can lock out the wireless clients without plugging a cable when you delete the bridge-device. So any security comes (and goes) with the authorized assess to the access-point. Just like physical security to the ethernet-plugs. The advantage is that I just set up both interfaces of my notebook, ethernet and WLAN with the _same_ IP-address and switched them to "hotplug"-mode. I only use one interface at a time and so it's always accessible under the same IP-address. The only question now is: In which start/ init-script should I put the commands to build the bridge-device in case of a reboot and when I don't want to build the bridge manually. It has to happen after the physical network-interfaces... -- Eat, sleep and go running, David Hücking. Encrypted eMail welcome! GnuPG/ PGP-Key: 0x57809216. Fingerprint: 3DF2 CBE0 DFAA 4164 02C2 4E2A E005 8DF7 5780 9216