Hi, I'm trying to figure out a way to configure a Wireless Access Point (WAP) in a way that gives access to everyone and in the same time forbids packet sniffing and accessing each other computers.
What I thought about so far is setting firewall rules on the WAP like that:
firewall block 192.0.0.025188.8.131.52
the WAP Gateway IP is for example 192.168.0.1 so no one can ping or access other WLAN users.
1- With such firewall rule, can users sniff LAN packets although they can't reach each other? I think yes they can, but I'm not sure.
2- If can sniff, is there any way to isolate users totally (VLAN for each user over WLAN)?
If I set security for encryption like WAP2/PSK TKIP/AES and of course I'll have to give the key to everyone, will that improve the situation?
I understood that WAP2/PSK AES/TKIP will give random encryption key to each user although the primary key is shared, so I thought that is more secure. but can they still capture each other packets?
I was thinking of setting a server to detect PCs with promiscious mode NIC, for example forge a ping request with wrong MAC and see if I get a response, if I get a response, I should black list the user.
Tell me more about public WAP security, is my understanding correct?
P.S. the product is DD-WRT router with WiFiDog.
Thank you for reading.
You can not prevent packet sniffing in a wireless LAN.
If I have a wlan adapter running in promiscuous-mode, it will be able to, listen to all packets sent within range of my antenna, no matter how you configure your router.
I will be able to record all traffic (within range) and, if it is un/decrypted, recreate all the sessions, for whatever purpose I want (if I can reach both the client and the access point, without packet-loss).
You can't have wireless-network safety without encryption.!
WPA2 is afaik still the best, if you use a properly strong key
and btw, the MAC address range is about 281.47498 E12.
Scanning that range with "forged" ping request's, within a reasonable time, will be a challenge on it's own :)
please search for
HotSpot/ Service Gateway Series
I remember that ZyXEL had some of them
you'll not be able to prevent sniffing but the rest is ok
second if you are concerned by the sniffed traffic
and "guests" are your laptops (for example you need to prevent sniffing on laptops which leave the office into free wifi networks
you could implement VPN connection to your site