2015-11-22 - Re: [GRASE-Hotspot] Network access

Header Data

From: David Wilson <da***e@argyle.com.au>
Message Hash: a61a95251d4a0d6ed272449e7d471c229f50c1da54886b36d83721f5aeb77ae5
Message ID: <EBFAAC4D-F1C8-4075-ABED-CBE04672E0F5@argyle.com.au>
Reply To: <CACJdL0OB=2OLTe1zshWMwoVu47t2zkv=wm35_r_PB=3z1qemWQ@mail.gmail.com>
UTC Datetime: 2015-11-22 15:07:52 UTC
Raw Date: Mon, 23 Nov 2015 09:07:52 +1100

Raw message 

Hi Jean, 

Can you confirm your LAN IP?

you wrote 10.10.1
I think you meant 10.1.0.1
But can you confirm. 

By default Grase will let hotspot users access the WAN, which is meant to be the Internet although there could be other things in the WAN as well as the internet. 
So putting the WAN interface of your Grase server on your private network is not a good idea. 

If your router supports it you could create an extra v-lan for your Grase WAN interface and have firewall rules blocking anything from that new v-lan to your private  network. So you would have 
1. Private network 
2. Grase WAN
3. Grase LAN (guest hotspot users) 

and your rules would be 

a) Private Network > Internet ALLOW
b) Grase WAN > Internet ALLOW
c) Grase WAN > Private Network BLOCK
d) Private Network > Grase WAN ALLOW
and you would keep the Grase LAN off the router altogether 


Alternatively, you would need to create a firewall rule on your Grase server to block everything to your private subnet (except your internet gateway/router).
This is a bit harder to do because you will want to have web access to Grase from your private network for the management pages of Grase. 
So you will need to allow replies only to private network. 

Dave 


> On 23 Nov 2015, at 2:16 am, Jean Létourneau <ve***t@gmail.com> wrote:
> 
> 
> 
> ​Good day all, I got Grace back up and running, Yeap running to well for me, let me try to explain.I have a from my LAN (WIFI) I can access my WAN. I prefered that would be the opposite but anyway.  created Vlan to isolate the 2 network, and if I do a trace route from the LAN to any device on my WAN, that  to the ubuntu (Grace host) and is routed on my WAN.  
> 
> here my setup Maybe a screwd up in my mask?
> 
> LAN : ip 10.10.1
> Mask: 255.255.128.0
> 
> Wan: ip 10.0.2.4
> GW ip:   10.0.2.10
> Mask: 255.255.255.0
>  
> I need fo find a way to isolate the WIFI network from my WAN, not really interested to have hacker trying to cet in my switchs or router. 
> 
> Any suggestions?
> 
> Have a good day.
> 
> Jean
> 
> 
> ​
> 
> 
> -- 
> This mailing list is for the Grase Hotspot Project http://grasehotspot.org <http://grasehotspot.org/>
> --- 
> You received this message because you are subscribed to the Google Groups "Grase Hotspot" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to gr***e@grasehotspot.org <mailto:gr***e@grasehotspot.org>.
> To post to this group, send email to gr***t@grasehotspot.org <mailto:gr***t@grasehotspot.org>.
> Visit this group at http://groups.google.com/a/grasehotspot.org/group/grase-hotspot/ <http://groups.google.com/a/grasehotspot.org/group/grase-hotspot/>.
> To view this discussion on the web visit https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/CACJdL0OB%3D2OLTe1zshWMwoVu47t2zkv%3Dwm35_r_PB%3D3z1qemWQ%40mail.gmail.com <https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/CACJdL0OB%3D2OLTe1zshWMwoVu47t2zkv%3Dwm35_r_PB%3D3z1qemWQ%40mail.gmail.com?utm_medium=email&utm_source=footer>.

Thread