Jeff Liebermann said:
This is messy but doable. However, I don't think it can be done by
any of the cheapo wireless routers. The reason is that wireless is
Fairly easily with LinkSys WRT54G(S) routers.
I'm not sure if it is possible to get the right route table
configuration using the LinkSys firmware, but certainly with
Sveasoft or HyperWRT firmware it is not difficult to do.
really bridging, not routing. As has been suggested, you could do the
Welllll... the WRT54G is actually routing, and has three network
interfaces, one each for wireless, the LAN switch (with 4 ports),
and another for the single WAN/Internet port. That last one is
what makes it possible.
trick by tweaking the routers routing table to send literally
everything from the various clients to the default gateway, with
nothing going to anything on the LAN IP block. However, a few minor
routing commands on the client machine and they instantly can "see"
the other wireless users.
Won't work with this example though.
That's because the router is NOT located
between users, just between the users and the internet. Between the
users is a simple ethernet bridge (actually a switch or multi-port
bridge).
Except that isn't true on the WRT54G!
Here's a route table copied from a WRT54G which will not allow
packets to be routed between anything on the 192.168.1.0 subnet,
but will send everything to a firewall on the 192.168.0.0 subnet
if it is connected via wired ethernet on one of the LAN ports of
the WRT54G,
Kernel IP routing table
Destination Gateway Genmask Flags ... Iface
192.168.0.2 * 255.255.255.255 UH ... br0
192.168.1.0 * 255.255.255.0 U ... vlan1
192.168.0.0 * 255.255.255.0 U ... br0
127.0.0.0 * 255.0.0.0 U ... lo
default 192.168.0.2 0.0.0.0 UG ... br0
Without the route to the vlan1 (the WAN port) interface, all of
the 192.168.1.0 traffic was going to br0 (the bridge to the LAN
switch, which also connects to the wireless port, vlan0). By
routing that subnet to vlan1, and assigning an IP address on
that subnet to the bridge (192.168.1.2 in this particular case),
it prevents any traffic on that subnet from going to the bridge.
It does allow traffic from wireless to the wired LAN though, for
the subnet 192.168.0.0, so anything in that address range has to
be hardened.
I would also expect that the default route could also be to vlan1,
but haven't actually tried that. The results should be the same.
Here's the output of ifconfig on the router, just for information,
edited to remove at least some of the useless parts. Note there
are three unique MAC address, and (the lo device excluded) there
are two of them with assigned IP addresses (br0 and vlan1, the
LAN and WAN ports respectively):
br0 Link encap:Ethernet HWaddr 00:12:17:27:FE:B8
inet addr:192.168.1.2 Bcast:192.168.1.255 Mask:255.255.255.0
eth0 Link encap:Ethernet HWaddr 00:12:17:27:FE:B8
eth1 Link encap:Ethernet HWaddr 00:12:17:27:FE:BA
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
vlan0 Link encap:Ethernet HWaddr 00:12:17:27:FE:B8
vlan1 Link encap:Ethernet HWaddr 00:12:17:27:FE:B9
inet addr:192.168.0.3 Bcast:192.168.255.255 Mask:255.255.0.0
wds0.2 Link encap:Ethernet HWaddr 00:12:17:27:FE:BA
wds0.3 Link encap:Ethernet HWaddr 00:12:17:27:FE:BA
Whether this can be done on any other wireless router I don't know.
It requires a router that will route 192.168.0.0 addresses, and
with separately routed ports for the wireless and wired network.
