[isf-wifidog] Implementing ipv6 support on wifidog

Richard Lussier richard.lussier at gmail.com
Sam 12 Fév 13:27:03 EST 2011 

Hi,

Would that approach make it easier to port to FreeBSD ?... I am thinking 
about a package for pfSense ?
Sorry if that do not make sense, i'm a newbe.. :-)

Richard

On 2011-02-12 13:02, Andrew Niemantsverdriet wrote:
> Hi,
>
> 2011/2/12 Jean-Philippe Menil<jean-philippe.menil at univ-nantes.fr>:
>> Le 11/02/2011 20:30, Geneviève Bastien a écrit :
>>> ip6tables uses filtering, based on the ip address, instead of nat, and you
>>> can still build firewall and routing rules with it.
>>>
>>> But I'll take a look at tproxy and ipset and see if it would work best for
>>> wifidog.
>>>
>>> Geneviève
>>>
>>>
>>>> Le 11/02/2011 17:01, Geneviève Bastien a écrit :
>>>>> Hi all,
>>>>>
>>>>> We'll soon start working on implementing the ipv6 support on the wifidog
>>>>> client.  One of the problematic will be to port to ip6tables the actual
>>>>> iptables that wifidog creates at startup, so that all the redirects
>>>>> still
>>>>> work on ipv6.
>>>>>
>>>>> Can anyone help with that?
>>>>>
>>>>> Thanks,
>>>>> Geneviève
>>>> Hi,
>>>>
>>>> there's no nat on ipv6.
>>>> So it's hard to port it to ipv6.
>>>> Maybe you can look on the tproxy target, or maybe ipset, but i'm not
>>>> sure for ipset.
>>>>
>>>> Regards.
>>>>
>>>
>> Hi,
>>
>> i know what ip6tables do.
>> But today, the redirection is made with a nat rule.
>> You can't do the same with ip6tables.
>>
>> Regards.
> I agree that making the IPTables rules as a shell script(s) would be
> ideal. You can still do a transparent proxy with IPv6 so the operation
> would be similar to how wifidog works now.
>
> The iptables would be similar to what is working now. Except rather
> than relying on NAT a transparent box would the work. TinyProxy is a
> program that I have had good luck with. TinyProxy would work with both
> IPv6 and IPv4 the exact same way so the overhead of maintaining two
> separate systems would be greatly reduced. The other thing that
> TinyProxy supports is whitelisting sites so a "walled garden" would be
> easy to implement.
>
> The bad thing about this approach is you lose the gateway code
> maturity / stability. However as Jean Philippe has stated there is no
> way for the existing code to just be ported a new mechanism needs to
> be used because IPv6 does not use NAT.
>
> The part I understand the least is how the gateway communicates with
> the auth server. So I don't know what would need to be changed with
> that to enable this new system. However it would be nice to device a
> protocol that would allow things like "whitelisted" MAC's to be passed
> to the gateway and things like per client speed control information.
>
> I would be interested to hear a overview of how the gateway talks to
> the auth server. I think moving to a proxy based system makes a lot of
> sense so that two separate wifidog gateways do not have to be
> maintained. I also think that abstracting the iptables rules to shell
> scripts makes a lot of sense.
>
> Thanks,
>   _
> /-\ ndrew
> _______________________________________________
> WiFiDog mailing list
> WiFiDog at listes.ilesansfil.org
> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>

Plus d'informations sur la liste de diffusion WiFiDog