(This is a repost, because the original hasn't shown up in
over an hour...)
Both postings made it to Newsguy. Consider yourself fortunate as
Supernews is methinks the best of the usenet news providers. I use
news.something.sbcglobal.net in the office. At least once per month,
ALL my postings are delayed anywhere between several hours and several
days. At least nothing I posted has been missing in the last few
months.
I'm partial to exact definitions. It's a bad habit of mine as I often
find it useful to know what the terms, acronyms, buzzwords, and
marketing terminology really means. Wireless seems to be the worst as
buzzwords seem to be generated daily and some techy terms seem to
overlap. The worst is the definitions of the various types of
bridges.
The earth is flat? ... despite all evidence to the contrary!
Take any government printed map and lay it on a flat table. The map
lies flat, not round. If the earth were round, then maps would also
be round. What more proof do you need when various agencies of the US
government all produce flat maps?
http://www.flat-earth.org
http://www.alaska.net/~clund/e_djublonskopf/Flatearthsociety.htm
http://www.lhup.edu/~dsimanek/febible.htm
I'm trying to get you to actually listen instead of just talk
about the things you imagine to be true.
I'm listening. I may be a bit slow and stubborn as I really do prefer
to understand how things work and why things happen. I'll readily
admit that I only have a superficial knowledge of the WRT54G and
almost no knowledge of the various firmware mutations. However, none
of my assertions are specific to the WRT54G. A wireless router is
nothing more than an access point with a router glued onto a switch
where one of the switch ports goes to the router section. I've used
all three blocks both separately and together in various combinations.
If together, it's called a wireless router. If separated, they're an
access point, ethernet switch, and ethernet router. Such combinations
are found in other products other than the WRT54G.
I prefer facts to your imagination, which is no different than
arketing hype.
I prefer testing to prove (or disprove) my "facts". Would it help if
I write it up as an FAQ thereby gaining some form of authoritative
image?
Then test it and stop imagining what the test would show if it
was built differently than it is. (I tested a version 2.0 unit.)
Yes, sir. I'll have some time on Tuesday evening. If it's as easy as
you claim, I should know who's correct in short order.
I don't claim a monopoly on wireless knowledge and often find it
helpful to ask those that know more than I about things I know little.
The exercise is called "learning" and the process is called "asking
for help". There are several people on the thirdbreak.org mailing
list with considerably more experience in setting up and operating
wireless hot spots than me. Also, if the merits of my argument are
insufficient to convince you, perhaps others can do better. You
should be able to read the responses from the archive:
http://www.thirdbreak.org/pipermail/wireless/2005-February/thread.html
One reply already.
You might as well test more bridges to see if
they route! It makes no difference how many hot spots are *not*
configured to do that. The only reasonable test is to configure
your own WRT54G and test it.
Patience. Got any favorite firmware for the version 1.1 router? I
was thinking Sveasoft Satori 4.0.
(Of course, it you luck onto even so much as one hot spot that
does have it configured that way, that is a definitive test.
But who knows how many you'll need to test...)
Well, I tested two today. Both are local coffee shops.
Hot spot #1 was populated with 4 laptops (plus mine). Two XP machines
and two Mac IBooks. I could see both XP laptops with Network
Neighborhood. I could ping all 4 machines from my laptop. All 4
laptops showed up in my arp table (arp -a). The router was a WRT54G
but I couldn't easily determine the version.
Hot spot #2 was about the same. Only one XP laptop present. I could
ping it, but could not see it with Network Neighborhood. File sharing
is apparently disabled or the firewall does not have file and print
sharing exception checked. I couldn't tell what access point or
router was being used. The sticker on the door was "AMD Hotspot".
So, we have two hotspots that can move traffic between clients without
going through the router. I'll see if I can find some more. I
suspect that Starbucks and T-Mobile use better access points.
Actually, you are simply wrong again. Let me repeat that for you:
The WRT54G _won't_ _even_ _show_ _up_ _with_ _traceroute_, and there is no
expectation that an intruder would be stupid enough to configure
a node that would.
Who said anything about the WRT54G in the traceroute? I was talking
about a man in the middle attack using a laptop with a spoofed access
point, spoofed DHCP server, and software router (with capture or
redirection software) running on the laptop.
What traceroute returns depends on how the TTL field is handled.
It has nothing to do with either ICMP or UDP pings.
Traceroute requires that ICMP Time Exceeded response is functional.
Traceroute packets have very small TTL values. Each router decrements
the TTL value until it hits zero. A TTL of 1 will get the first
router to respond. TTL=2 for the 2nd router. TTL=3 for the third,
etc. More details:
http://www.freesoft.org/CIE/Topics/54.htm
Bottom line... ICMP has to be working in order to get a response.
Don't be a boor, stop arguing silly semantics. It's an AP.
It says router on the front panel.
The logic of going to a local hot spot is the same as testing
bridges to see if they will route. It makes no difference how
many you find that do what you say, it only matters that the
WRT54G *does* route, regardless of what you say.
Try this little test. Go to whatever page in the WRT54G web
configuration that reports traffic statistics in the router section.
Now, generate some traffic between two wireless computers through the
WRT54G. Netstat -r should also show per-interface statistics. Do the
router statistics increment? Nope. That's because none of the
packets are going through the router section. Therefore, there's
nothing you can do in the router section that will affect traffic in
the access point section between wireless clients. Same with wired
PC's plugged into the LAN ports. The packets don't hit the router
section.
Not that speculation is bad! But you've posted it as *fact*,
and when someone points to real examples that contradict your
speculation you obfuscate with illogical arguments, semantic
games, and irrelevant examples... and say it isn't true.
I did? Kindly re-read the beginning of my:
(e-mail address removed)
where I clearly proclaim:
"Nope. Here's where I get on thin ice as I'm not sure how existing
implementations do such things. I'm also not too good on the
protocol thing. Therefore, I'll guess(tm) how I would implement
such a scheme."
That's called a disclaimer. I make it habit of posting such
disclaimers when I'm not really 100.0% sure of what I'm posting. I
did the same in several other places where I wasn't 100.0% sure. If
I'm wrong, I expect a correction, not abuse.
You missed the point: It affects a lot more than Layer 2 when it
hits a router. Does it get routed, or not?
I say that traffic between wireless clients does NOT get routed. You
say otherwise. I can prove my contention by simply monitoring the
traffic that goes through the router. If wireless to wireless traffic
does not increment the router section traffic counters, then it's
doesn't go through the router.
If it does, it
certainly is not happening at Layer 2! (And of course if it
doesn't, none of the above is relevant then either!)
A switch maps destination MAC addresses to ethernet ports. A VLAN
segments the ports into separate switch domains by tagging the packets
with the VLAN number. Everything is done on Layer 2 with no IP
addresses involved.
The non-techie OP can logically respond with a one line summary
judgment to what you posted. Your response to my detail was
illogical, and far less appropriate than what the OP had to say.
Ok. I'll accept that as valid criticism. I do tend to have a short
temper when irritated and do tend to say dumb things. I'm not sure
what I'm going to do about it, but I'll at least try to be more
diplomatic in the future.
You don't seem interested in learning about the equipment and
how to use it.
I eat, drink, breath, and work with equipment. It's a constant
learning exercise. I'm one of those that takes things apart BEFORE I
plug them in. If you dive into my web pile photo collections:
http://members.cruzio.com/~jeffl/pics/
http://jeffl.ihwy.com
you'll see a few photos of equipment I've torn apart, dissected, and
sometimes repaired successfully. I'm not sure what gave you that
erroneous impression.
That is not required to separate wireless clients.
OK, so you're not using a VLAN to separate wireless clients. It's odd
that a company would produce a wireless virtual VLAN product line when
such things are allegedly easily done without a VLAN.
http://www.cpx.com/whitepapers/Compex Psuedo VLAN.pdf
Let's say I'm suspicious.
But I was assuming that you understood that ping uses
routed packets, and if there is no route... then two wireless
clients cannot ping each other.
Well, yes. ICMP and UDP ping do work at the IP level and honor
routing. The conventional access points DCHP server delivers
255.255.255.0 as the netmask making all the machines on the wireless
LAN visible to each other. However, I can see everyone at the MAC
level. If the requirement is to only be invisible at the IP level,
then you're absolutely correct. The routing table you posted in:
(e-mail address removed)
will work as you described. However, if the requirement is to remain
invisible at the MAC level, then I can still see other wireless
devices at the MAC level. I'm not sure how much damage I can do with
this, but I'm sure something can be done.
You might even have drawn the conclusion (giant leap of faith
that it is) that the only reasonable way I would know it does
not route packets between wireless clients would be because I
tried to ping one wireless client from another (or in this case,
a couple of them) and found that it failed, while at the same
time it was possible to ping hosts on the Internet via the
gateway. Why else would I say that it works the way I
described?
Thanks. So you tried to ping between wireless clients and it didn't
work. Now, it's my turn to try the same thing. If you have a Linux
box or Live CD handy, you might try using arping to ping by MAC
address.
