opinion needed: 2 LANs (wireless + wired) or just 1?

[rambetter]

I have a FreeBSD router here at home whose sole function is to do things like run a small DNS server for caching and internal hostname resolution, and to do NAT, and also, I just installed a wireless NIC for purposes of being a host access point.

I need your opinion on the following question. Should I separate the wired and wireless networks (192.168.0.x for wired and 192.168.1.x for wireless) or try to configure things so that both wired and wireless are running in 192.168.0.x/24?

Right now I have 2 separate networks for wireless/wired, and all IP assignments are done statically, not over DHCP. fxp2 is my internet-facing interface. From /etc/rc.conf:

gateway_enable="YES"
ifconfig_fxp2="DHCP"
ifconfig_em0="inet 192.168.0.254 netmask 255.255.255.0"
ifconfig_ath0="inet 192.168.1.254 netmask 255.255.255.0 ssid speedy.i mode 11g mediaopt hostap"

It works very smoothly. I am able to SSH from a Windows laptop which is on the wireless network directly into a Linux desktop on the wired network. My PS3 downstairs is able to download updates over the wireless network perfectly and quickly. All computers on the wireless and wired networks are able to access computers on the internet, to do this I put this in my /etc/ipnat.rules (and enabled ipnat in rc.conf):

map fxp2 192.168.0.0/24 -> 0/32
map fxp2 192.168.1.0/24 -> 0/32

Now, I believe that in purpose-build home routers which support wired and wireless networks, they combine both types of connections into one LAN. I think I could probably figure out how to do this (although I would question whether assigning the same IP address to both em0 and ath0 is correct), but my real question is, which way of doing things is "more correct" in the purist sense? I did notice one thing about Windows computers wanting to communicate with each other - they are not too happy if they are on the 192.168.0.x/24 and another member of their "workgroup" is in 192.158.1.x/24. I really don't know too much about Windows, and I don't really like to learn about it.

If you answer "yes" to "combine both wired and wireless networks into one", then if you could perhaps give me a very quick rundown of the correctest way to do this.

 

[aragon]

Do not assign an IP address to your wireless adapter. Create a bridge(4) interface and add both adapters to the bridge.

 

[rambetter]

OK, I will try to create a bridge. That's a good idea. In fact I've had a bridge with several NICs before.

However I don't know the rc.conf syntax for bridging an ath0 device. Perhaps you can help me? Here is my current rc.conf (exerpts):

ifconfig_em0="inet 192.168.0.254 netmask 255.255.255.0"
ifconfig_ath0="inet 192.168.1.254 netmask 255.255.255.0 ssid speedy.i mode 11g mediaopt hostap"
hostapd_enable="YES"

I would like to add em0 and ath0 to the same bridge, along with fxp0 and fxp1 which are currently not being used for anything: So my hypothetical rc.conf would look something like this:

cloned_interfaces="bridge0"
ifconfig_bridge0="addm em0 addm ath0 addm fxp0 addm fxp1 up"
ifconfig_fxp0="up"
ifconfig_fxp1="up"
ifconfig_em0="up"
ifconfig_ath0="up"
ipv4_addrs_bridge0="192.168.0.254/24"
hostapd_enable="YES"

My question is, where do I specify the "ssid speedy.i mode 11g mediaopt hostap" for ath0? Obviously it's missing from my hypothetical rc.conf above.


One more thing. I have WPA enabled via hostapd. I had a look at /usr/share/examples/hostapd/hostapd.conf, and I see this in there:

# AP netdevice name (without 'ap' postfix, i.e., wlan0 uses wlan0ap for
# management frames); ath0 for madwifi
interface=wlan0

# In case of madwifi driver, an additional configuration parameter, bridge,
# must be used to notify hostapd if the interface is included in a bridge. This
# parameter is not used with Host AP driver.
#bridge=br0

Do I need to add this:

bridge=bridge0

to my /etc/hostapd.conf? It says "This parameter is not used with Host AP driver", and my wifi card is being up into host ap mode, so I assume I don't need this line? Are there any other special things I need to do if my ath0 is part of a bridge?

 

[aragon]

My question is, where do I specify the "ssid speedy.i mode 11g mediaopt hostap" for ath0? Obviously it's missing from my hypothetical rc.conf above.

In ifconfig_ath0.

Do I need to add this:

bridge=bridge0

Unfortunately I don't know. Try without it first.

 

[Alt]

I think better to make different subnets and bridging wifi and lan is bad idea.

 

[aragon]

I think better to make different subnets and bridging wifi and lan is bad idea.

Why?

 

[Alt]

Just because they are different by type. I think the question is "why you should do it" not vice versa =)

 

[aragon]

"why you should do it" not vice versa =)

If they are the same network then bridge them. In many cases the wireless network should be the same network as the wired LAN. Media type is irrelevant...

 

[Alt]

Huh... May be you right.. As you want. rambetter just asked opinions.

 

[mickey]

In my opinion, you should keep both networks separated.
A wireless network is different from a wired network by definition, and a different set of security considerations apply.

I am running a similar setup for quite some time now, using FreeRADIUS as an authentication backend for WPA2/EAP-TTLS on the wireless interface.

The only application that i can think of, which may have a problem with computers being in different IP segments, is Windows' Network Neighborhood, which works through NetBIOS, which is sick by design. If this is of concern for you, you should install Samba, acting as a master browser and WINS server on both network segments, and read on this topic, especially the different modes of NetBIOS operation. I think the Samba Documentation has quite some good starting points into that topic. Additionally you should install a DHCP server, which operates on both interfaces, and is able to tell Windows clients the correct NetBIOS parameters and the IP-Address of your WINS server.

YMMV

 

[rambetter]

What are the drawbacks of putting wireless and wired into the same network? I think I want to go this route, but I'm concerned about problems that may arise, or security risks. This seems like the simplest solution, and the most similar to using a purpose-built home router.

 

[Alt]

I think there is only 1 advantage to bridge them: netbios who works only wednesdays..
Disadvantages are needing to hackup router, security risks. You may need to make a fileserver, and it must be protected from outside.
Or you may want to give your guests wireless internet. But why you must give them whole subnet in this case? It can be painful to separate them later..

 

[rambetter]

OK thanks for your help guys. I think I will stick to 2 subnets, one for wired (192.168.0.x/24) and one for wireless (192.168.1.x/24).

However, I have direct connections from one subnet to the other because the router is a gateway (for example I can ping or SSH from a wireless laptop to my wired desktop, and vice versa). Is this a security issue?

 

[Alt]

No, why? You can now ipfw on router/desktop to set connection restricts.