Re: [lopsa-tech] how to do multi-zone WiFi with stock Linux?? was Re: Wifi

Sun, 07 Apr 2013 05:46:24 -0700 

On Sun, 7 Apr 2013, Robert Hajime Lanning wrote:


On 04/07/13 04:15, David Lang wrote:

also, as you move from one zone to another, all your connections will
drop as the new router won't have them in it's masquerade tables.


Yes, that would be true.  I spaced on the NAT state table, though, you

could probably find a way to sync them, across routers.  Depending on the 
router. :)  But, definitely not a "supported" feature.



actually, there is the supported libconntrack that can sync these sorts of 
things between machines, but it's really aimed at the active/passive failover. 
It has no way of handling the case where the destination machine of the 
replication has conflicting data in it's state tables.



i've never set it up, but I've been watching it off and on for a few years. (I 
run over a hundred firewall pairs, but failover is infrequent enough that we've 
just accepted that when a failover happens connections get lost rather than the 
complexity and resulting problems that implementing this replication would cost)



subnet size should not be a problem, very few places need to support
more than 64K (/16) users, and even fewer would need more than 16M users
(/8)



Just needs to not clash with any other subnet that they need to get to.  But 
that is usually easy.


yep.




IPv6 is another story...


How would IPv6 change anything here? I don't see IPv4 really being a limit.


Supporting v6 in this method would break some of v6s pieces, I think.

IPv6 does not like NAT (it can do it, as long as you don't use any of the 
security features.)  Remember IPsec is backported from IPv6.  IPsec cannot be 
NATed, only tunneled.



I think with IPv6, a single campus wide VLAN would work fine.  It has no 
broadcast, only multicast.



usually when people say things like that, they are implying that IPv6 solves the 
problem (or at least makes it much easier), so I wanted to check on what you 
were meaning :-)


David Lang
_______________________________________________
Tech mailing list
Tech@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech
This list provided by the League of Professional System Administrators
http://lopsa.org/





























					Reply via email to