Thread: Re: [3.3]Can OBSD Be a Router *AND* MAC Filter ?
View Single Post

   
  #2 (permalink)  
Old 02-16-2008, 04:19 AM
The Jetman
 
Posts: n/a
Default Re: [3.3]Can OBSD Be a Router *AND* MAC Filter ?
erik <erik@geenspam.vanwesten.net> wrote in message news:<3f077873$0$49106$e4fe514c@news.xs4all.nl>...
> The Jetman wrote:
>
> > I just set up my 1st OBSD system and am making slow and steady
> > progress
> > getting it together, but I'd like a simple question answered: can
> > OpenBSD be a NATing router *AND* a MAC filter simultaneously, based on
> > the baseline
> > distro ?
>
> No, unless you adopt static routing.
>

Maybe, I'm dumb, but I don't see what you're talking about in any
search I've done on Google or any other search engine. Hell, there's
damn little on the subject of MAC filtering via BSD, even though
the various implementations seem to be well-suited to the job.

My own experiments reveal MAC filtering is only possible if the
host is a bridge and NATing is only available on a gateway/router.
Can you confirm or deny this, based on your own experiences ?

> > I ask bec I *believe* one needs two machines to achieve the
> > same
> > result w/ FreeBSD. That is, I can filter MACs if my test machine is a
> > bridge, but I also need a NATing router, which doesn't seem to work
> > until I switch to gateway mode.
>
> No. Why on earth do want such a useless, needlessly complex setup?
>

Again, I don't grok what you're referring to at all. I'm on a team doing
a wireless ISP install for a Fortune 500 corp's sites, so I understand a bit
about the subject. My corp client is using RADIUS authentication via a
local, Linux based AP, to give its wireless clients Internet access.
However, once the system is fully operational, my corp client will have
an external authentication service provider, gate public Internet access
to its clients.

I normally work in a store, where MAC filtering *could* do the trick
(here wireless clients are fewer and far between.) I can get my FBSD
box to do MAC filtering (to limit LAN access), but I *apparently* need an
entirely different host, NATing wireless clients to the public Internet,
via a single public IP. This is essentially the same as my corporate
client, except I'd like to use manual authentication via MAC addresses
and they've opted for an automatic, authentication server.

Consequently, I don't grok your comment: 'Why on earth do want such a
useless, needlessly complex setup?'

> >
> > If the answer is yes, I'll put this aside as a novel curiousity,
> > otherwise
> > I'll proceed to bild the desired system. Later....Jet
>
> Sorry to disappoint you.
>

Later....Jet
Reply With Quote