Subj : Wireless ISP To : comp.os.linux From : Kevin Brown Date : Tue Aug 10 2004 02:32 pm Hello all, I have been asked to setup a gateway for a wireless ISP. After doing some research, I have come up with a way for people to login to the server, but have some questions about its security, expandabilty and stability. First off, I am using Roaring Penguin's pppoe-server program as the PPPoE server. I am familiar with PPPoE for DSL, so I figured, since it is widely used, it would be easy for the clients to connect using it. Once the pppoe-server was setup and running, I just had to make up a few firewall rules. For now I am using NAT. Since, whenever someone connects via pppoe it creates a ppp interface, I figured, to restrict access, I would let the NAT take place thru the pppx connections, but not thru the wireless interface (I tested it with ethernet so that'd be eth1 for me). If I didn't disalow NAT on eth1 then I could access the internet without logging in via PPPoE. These are my firewall rules: iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables -A FORWARD -i ppp+ -j ACCEPT iptables -A FORWARD -i eth1 -j DROP where eth0 is my internet connection, eth1 is the ethernet card (will be the wireless interface with the WISP) going out to the computers which require PPPoE authentication, and ppp+ are all the verified ppp connections. First of all, how secure is this way of authentication? I was thinking to myself, since passwords probably aren't encrypted, it would be easy for hackers to find peoples login names and passwords. So, is there a way to encrypt PPPoE passwords with my setup? Secondly, how do I make sure two people are not logged in with the same login name? For bandwidth control should I use 'tc' or is there a better way? And finally, should I run a DHCP server off eth1? pppoe-server gives the connected computer an IP address, but should I assign an IP to the client's wireless card? They're not connecting to the internet through it, but I am wondering what the professionals think. Thank you for all your help in advance, I really appreciate it. Kevin Brown. .