2017-07-30 - Re: [GRASE-Hotspot] inside network users getting onto outside network

Header Data

From: Timothy White <ti***8@gmail.com>
Message Hash: 5fbf0fb69efe2124507db5c8622a437611311f2429392de0a10880ce0da8152a
Message ID: <CAESLx0+pLHd3pSwKYKT4h-CeysM7oxQCjmevRB9uaj+shtEs0A@mail.gmail.com>
Reply To: <1eca536d-18c7-4096-899f-008811048d71@grasehotspot.org>
UTC Datetime: 2017-07-30 00:28:52 UTC
Raw Date: Sun, 30 Jul 2017 17:28:52 +1000

Raw message

Hi Daniel

This sounds like you might have an isolation issue. The WiFi on the Grase
Hotspot side, should have to go through the Grase server to be able to
access the "outside" network. By default, "inside" ip addresses can access
"outside" ip addresses, but in no way should be able to assign themselves
an outside IP address. If they do try, no traffic should flow, because the
Grase server will be trying to access them on the outside network, and any
access via the internet, will also not be trying to reach them behind the
Grase server.

Can you possibly draw a diagram as to how your hardware is wired, what IP
ranges are in use, and how you are seeing this "bypass" being done.

(If you are instead asking how to stop "inside" users from access resources
in the "outside" network without preventing internet access, then it's a
case of modifying the IP tables rules to masquerade to all addresses,
except the outside addresses. But based on your email, it doesn't sound
like that's your request).

Regards

Tim

On Sun, Jul 30, 2017 at 12:59 AM, Daniel Crusoe <di***n@gmail.com>
wrote:

> I am sure there is probably a thread where you explain how to close down
> traffic through the server to the outside(internet) network from the inside
> (Grase) network. but dumb me cannot find it.
>
> THE PROBLEM:
> I basically have some users that are assigning their devices on the inside
> of the network an i.p. address from the outside network and this is
> allowing them unfettered access to the internet (not through Grase). how
> would i stop this through traffic from running on my network (i cannot go
> to each user and check their systems. i need to implement this from my
> server).
>
>
> thanking you in advance for your help
>
> --
> This mailing list is for the Grase Hotspot Project http://grasehotspot.org
> ---
> You received this message because you are subscribed to the Google Groups
> "Grase Hotspot" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to gr***e@grasehotspot.org.
> To post to this group, send email to gr***t@grasehotspot.org.
> Visit this group at https://groups.google.com/a/
> grasehotspot.org/group/grase-hotspot/.
> To view this discussion on the web visit https://groups.google.com/a/
> grasehotspot.org/d/msgid/grase-hotspot/1eca536d-18c7-
> 4096-899f-008811048d71%40grasehotspot.org
> <https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/1eca536d-18c7-4096-899f-008811048d71%40grasehotspot.org?utm_medium=email&utm_source=footer>
> .
>

Thread