Member Avatar for ausrasul

Hi, I'm trying to figure out a way to configure a Wireless Access Point (WAP) in a way that gives access to everyone and in the same time forbids packet sniffing and accessing each other computers.

What I thought about so far is setting firewall rules on the WAP like that:
firewall block 192.0.0.0 255.0.0.0

the WAP Gateway IP is for example 192.168.0.1 so no one can ping or access other WLAN users.

The question:
1- With such firewall rule, can users sniff LAN packets although they can't reach each other? I think yes they can, but I'm not sure.
2- If can sniff, is there any way to isolate users totally (VLAN for each user over WLAN)?

If I set security for encryption like WAP2/PSK TKIP/AES and of course I'll have to give the key to everyone, will that improve the situation?
I understood that WAP2/PSK AES/TKIP will give random encryption key to each user although the primary key is shared, so I thought that is more secure. but can they still capture each other packets?

I was thinking of setting a server to detect PCs with promiscious mode NIC, for example forge a ping request with wrong MAC and see if I get a response, if I get a response, I should black list the user.

Tell me more about public WAP security, is my understanding correct?

P.S. the product is DD-WRT router with WiFiDog.
Thank you for reading.

  • 3 Contributors
  • 2 Replies
  • 211 Views
  • 1 Week Discussion Span
  • Latest Post Latest Post by larieu
Member Avatar for jak0b

You can not prevent packet sniffing in a wireless LAN.

If I have a wlan adapter running in promiscuous-mode, it will be able to, listen to all packets sent within range of my antenna, no matter how you configure your router.

I will be able to record all traffic (within range) and, if it is un/decrypted, recreate all the sessions, for whatever purpose I want (if I can reach both the client and the access point, without packet-loss).


You can't have wireless-network safety without encryption.!
WPA2 is afaik still the best, if you use a properly strong key

and btw, the MAC address range is about 281.47498 E12.
Scanning that range with "forged" ping request's, within a reasonable time, will be a challenge on it's own :)

Edited by jak0b because: n/a
Member Avatar for larieu

please search for
HotSpot/ Service Gateway Series
I remember that ZyXEL had some of them

you'll not be able to prevent sniffing but the rest is ok

second if you are concerned by the sniffed traffic
and "guests" are your laptops (for example you need to prevent sniffing on laptops which leave the office into free wifi networks
you could implement VPN connection to your site

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.