this is essentially what i've been doing with my access point and it works quite nicely. i have placed my AP within the DMZ on my network, i don't allow any tcp or udp traffic out of the network unless it's on port 22 (ssh). all http traffic is transparently proxied to a web server which is running on that segment and informs the user that they cannot use this AP unless they have a tunneling mechanism in place. by not allowing any tcp traffic outside of this segment (excepting ssh traffic) and not allowing anything other than protocol 47/50/51/120 traffic outside of the network you effectively make the segment useless for anyone who isn't tunneling through to the internet via an access concentrator at their ISP (or their corporate network). this model can be extended to allow selectively opening up the network to folks using techniques like nocatauth or for the adventurous with hardware to burn pppoe or something else. (hark - ipsec access for wug members?) for nodes where there are links to other locations within the WUG network (wireless ptp links) traffic can be tunneled appropriately to the other location and the remainder of the network. this is a very simple, stable and straightforward technique that we can create cookie-cutter implementations of like we were discussing at our 2nd meeting. jeff - you're not missing out on anything, the problem domain has just been obfuscated. ;-) when last we saw our hero (Monday, Aug 05, 2002), Matthew S. Hallacy was madly tapping out: > On Mon, Aug 05, 2002 at 10:20:53AM -0500, jeffr at odeon.net wrote: > > > > [snip good content, see summary] > > > Basic connectivity to the wireless network should be fairly simple > > for Joe User. Plug in a wireless nic, configure for DHCP, and > > you're on the network. You can't get out to the internet at this > > point, but you can access any services being provided on the > > wireless network. A community intranet of sorts perhaps. If the > > user wants to get out to the internet then they either need to > > figure out how to correctly set up their home network (and be > > providing an access point on the wireless network) or they need to > > purchase a gateway service from an ISP. If they are doing it on > > there own they could get help from this mailing list, or perhaps > > the TCLUG mailing list if they are using linux for their firewall. > > If they are purchasing a service from an ISP, then they can call > > the ISP for technical support. > > > > Jeff > > Excellent, this is exactly what I've been thinking. > > -- steve ulrich sulrich at botwerks.org PGP: 8D0B 0EE9 E700 A6CF ABA7 AE5F 4FD4 07C9 133B FAFC