hostapd + dhcpd (+ FreeRADIUS?) and two different kinds of clients

Bryan Kadzban bryan at
Tue Sep 12 17:52:36 EDT 2006

Lev Serebryakov wrote:
> IPs should be from differnet networks for trusted and untrusted 
> cleints.

Since you're willing to accept different IP ranges for various clients,
it sounds like VLANs might be one way of doing this, if there's software
support for it.

Cisco APs, for instance, understand 802.1q VLAN tagging, and let you set
up multiple SSIDs (each with different security requirements), and map
one SSID to one VLAN.  Then a client that associates with (say) "sec"
gets all its traffic sent out the AP without any tagging, while clients
that associate with (say) "psk" get all their traffic sent out tagged as
VLAN 2.  (Or whatever.)  You do need managed VLAN-capable switches, so
you can keep the clients separated.

Then, you could have two separate DHCP servers running (one on each
VLAN), handing out different ranges of addresses to the clients.
Firewalling would be handled based on the "physical interface" (actually
it'd be based on the VLAN tags inserted by the AP(s) or switches), not
the IP range or MAC address.  Basically your firewall would be on a
"trunk" port and see all traffic, and it would create a virtual
interface for each VLAN.  Then the firewall would happen at each virtual

I have no idea if such a setup is possible in hostapd, though.  I think
I remember hearing something about Devicescape having a multiple-BSSID
driver working; that would be another requirement (so that each virtual
SSID has its own BSSID, so the AP can tell apart the networks when it
receives a frame).  Jouni, did anything ever happen with that mBSSID
setup?  Or am I remembering wrong?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 258 bytes
Desc: OpenPGP digital signature
Url : 

More information about the HostAP mailing list