Subject: Re: WaveLAN advice
To: Chris Jones <cjones@rupert.honors.montana.edu>
From: Thilo Manske <Thilo.Manske@HEH.Uni-Oldenburg.DE>
List: netbsd-users
Date: 06/09/1999 01:46:27
On Tue, Jun 08, 1999 at 04:32:24PM -0600, Chris Jones wrote:
> Has anybody out there in NetBSD-land had any experience with WaveLAN
> products?  Especially for inter-building networks?  The ISP I work for
> is considering offering WaveLAN to its customers.
Well, not WaveLAN, but we use Aironet (relabled here in Germany as
"Arlan" in the past and "Artem" now.) radio bridges.
(www.aironet.com, www.arlan.de)

> This brings up an interesting line of thought.  If WaveLAN is *really*
> just a replacement for ethernet, then how do you prevent random people
> from grabbing an IP number and using your link?  And how do you go
> about limiting the bandwidth a user can use?

> For the first question, I suppose I can have my gateway machine
> maintain a list of static ARP entries, and refuse to talk with
> somebody using a mismatched IP/MAC address pair.  Then I can put in
This works with 1.4, but with 1.3.* it did not. (I have tried that,
there's even a NetBSD SA about it.) 

> bogus entries for any unassigned IP's.  I wonder how easy it is to
> spoof a MAC address over WaveLAN?
If the MAC# is in a (e(e))prom very clever users might be able to.

I suppose Aironet products work very similar, so this might be
interessting for you:

The Aironet bridges have an configurable 16 bit "SID" (System
IDentifier I think). Two station can only communicate with each other
if the SID matches. And before a communication link is established,
a station must register itself.  This can happen automatically (good
for "roaming" users) or done manually (for static links.) And furthermore
you can enable an additional encryption.

Why not ask WaveLAN to send you information? Usually you get tons of
paper if you just say "hello" to companies like that :-)

> The second question could be more difficult, though.  Anybody have any
> ideas?  How *do* you limit bandwidth usage through a gateway machine?
> Ultimately, it would be neat if I could have the gateway allow
> unlimited access to our internal network, but bandwidth-limited access
> to our outbound connection.  Any ideas?
For http only you can (miss-)use squd with delay pools as a transparent
proxy for that purpose. This would provide caching as well to furhter
reduce bandwith. If you block users to force them using your proxy
this works for ftp or gopher (vie http) as well. 

See http://squid.nlanr.net/. It's in the package collection as
well, though I suggest building it manually (run ./configure --help
to know why.)
-- 
Dies ist Thilos Unix Signature! Viel Spass damit.