[geeks] Rant: Network "Industry Leaders" That Don't.

Jonathan C. Patschke jp at celestrion.net
Wed May 1 22:01:30 CDT 2002 

On Thu, 2 May 2002, Kris Kirby wrote:

> Is it thier link? Or is the AP on your side owned by you?

Theirs.

> If you can get them to pop the AP back to bridge mode, your troubles are
> over.

Not likely.

> And you're really missing the point. I used to to WISP for a living. APs
> can be programmed to function as routers (AP's IP is #; your IP is this
> one and the gateway is this one.) or bridges. In bridge mode, it will pass
> *any* ethernet traffic. And as such, you only need to set the PC router to
> the IP on your side of the wireless run and set the gateway to thier side.

No, I understand perfectly.  I've also done WISP as my day job.  The
problem is the initial setup:

[router]-----[lan]----<fibre media convertor>----[lan w/ AP]

That is, the AP is on the lan that needs to be NATed, not on the other
side of it, as it should be.  Granted, this wouldn't be a problem if there
weren't three networks on the other side of the router that -also- need to
be NATed through that connection.

The AP doesn't have it's own line to the router, so popping the AP in
bridge mode means that -all- the LAN traffic would be flowing over the
wireless.

I -want-:

[lan]----[router]---<fibre>----[AP]

> We ran turbocell over Orinoco. There are some interesting things about
> getting a Lucent card to go promiscuous. But I do believe the AP1000 will
> do bridge mode. Shoot me the name of the ISP (erm, privately) and I'll see
> if they are on isp-wireless and ask them a few questions.

It does bridge mode just fine.  That's not the problem.  The problem is
that the entire network looks like this:


                     {Internet}
 (Lucent) wireless  /          \ wireless (Lucent)
                   /  wireless  \
            {site 1}------------{site 2}
                                 |
                                 | fibre
                 {site 4}-------{site 3}---------{site 5}
                            T1           Frac T1

Site 2 has a full LAN (including all of Site 3), the connection to the
World, and the connection to the important server at Site 1 all on the
same collision domain and IP subnet.  This is historical, and not my
fault.

The end-goal is:

                   {Internet}
                             \ wireless (Lucent)
                              +
            wireless   fibre at 2 \ fibre junction at 2 
    {site1}----------+----------{site 3}
                               /  |    \
                        fibre /   |T1   \ Frac T1
                             /    |      \
                     {site 2}  {site 4}  {site 5}

This way, while all the links to the 'Net and to Site 1 would physically
reside at 2, they would topographically appear at 3 via all of 100 feet of
fibre.  This way, the AP can be toggled into bridge mode and be the only
thing on that Ethernet segment (other than the router), just like it
-ought- to be (and how you probably thought it was, as anything else would
be stupid).

Ideally, everything would be concentrated at Site 1, but there's no way in
hell they'll go for that.

> > Yes, but your method would require purchasing managed Ethernet switches.
> 
> You could do it with two PCs. Pentiums even.

I hadn't thought of that.

> > [1] I also neglected to mention to utter idiocy of the software folks
> >     managing the RS/6000.  They don't believe in TCP-wrappers.
> 
> Point out what a gaping hole that is and explain that *any* ev1l haxX0r
> could do them major damage. And since they are $gov, explain the headline
> to them as it would read in the paper.

I can't get them to go with SSH, but I can probably (hopefully) at least
get them to go with TCP/wrappers.  If not, the final layout of the network
will have that server firewalled and port-forwarded.  I can always
firewall it such that only we and they have access, and to hell with them
if they want in and they're not at the home-office.  The agency pays them
$bignum monthly to -run- their server not to open its ass to the world.

SSH isn't doable because their integrated Winders software runs over
telnet and basically mimicks rexec.  Also, 70% of the users are still on
dumb terminals connected to a terminal server.

> And if $ISP is unwilling to reprogram the AP... good fucking luck. :-)

They left the r/w neighborhood at the default.  I have since changed that,
and they no-longer have access to that AP.  If they want it, they can call
me.

--Jonathan

More information about the geeks mailing list