Guest isolation

Similar Messages

• Using Airport Express on separate subnet to make isolated Guest Network?

  Hi. I've done a search here, I've tried setting this up at my house but haven't figured it out yet.
  Friends have Verizon FiOS service. They're using the provided modem as the ethernet router and it is handing out DHCP addresses, and for a number of reasons including their home theater, on demand use, etc., they want to keep the FiOS modem as the router, not an Apple product.
  We're using an Airport Extreme and a Time Capsule both in bridge mode to distribute the wireless network and everything works fine. They'd like to add an isolated, unencrypted Guest Network. I know we can't use the Extreme's Guest tab because we're in bridge mode.
  But we do have a new Airport Express. It seems like there would be a way to set up a Double NAT on a different subnet and give guest users access to the internet but not to computers, shared volumes, printers, and everything else on the primary, encrypted network.
  Is there a way to do this or will every address coming from the FiOS router be on the same subnet? Are there any other horrible consequences from doing this, i.e., the primary network will still operate fine?
  If the DHCP range coming from the FiOS router is 192.168.15.001 to 192.168.15.199, do I set the Airport Express IP address manually? To what?
  To eliminate the possibility of duplicate IP addresses would you have the Airport Express hand out a small range of IPs on a completely different network area, like 10.0.1.1?
  Any other suggestions? Thank you.

  I was trying to create a primary and guest network division after the router... such as an unusual configuration in the AEBSn after the FiOS router.
  At my home I have my cable modem connected to an AEBSn, which is doing my network's routing. But I didn't set a Guest Network on this AEBSn. I am trying to set up a discrete Guest Network downline from this router. (Which would simulate my friend's installation where they're using a FiOS modem/router all in one and we want to create a discrete Guest Network after that.)
  But as I guess you've been patiently trying to get through to me, Bob, whatever outlying separation you may be able to create seems to get put back together at the main router.
  For example, today I connected a second AEBSn ("AEBSn Guest") to the LAN port of my primary AEBSn router. I set the AEBSn Guest to create a wireless network, and I set that to be a closed encrypted network called "Test," and I enabled unencrypted Guest Networking as usual and told the AEBSn to ignore the Double NAT error.
  With this configuration I am able to get on the open Guest SSID, and internet connection is normal. Between the Guest and the primary encrypted network, printing is broken, iPhoto sharing is broken, and so on, but I still see shared volumes and can log in with authentication.
  So I can see why a solution to this may have been elusive.
  I don't know much about cable TV's subscription services but I took a peek at the set up pages of the Verizon FiOS router and noted there was a lot going on there. Lots of ethernet and cable IP addresses to Set Top Boxes, etc. Not sure if all this could be recreated within the administration of the Airport Extreme, but I am hesitant to risk messing up the Comcast services which are presently working well.
  In terms of zooming out to the big picture... when I invite guests to share my internet service, they're usually doing email and web browsing for the weekend but at the end of their stay they want to print their boarding passes... so despite setting up a guest network I might end up giving them access to the main network anyway.
  Thanks for the help, Bob.

• Isolating guest VMs from each other (not just the host)

  Hello Everyone,
  I've been playing around with visualization for a long time, but largely for testing and educational purposes.
  For the first time I'm thinking of actually running some production systems in virtual machines instead of on physical hardware which which raises some new concerns for me that weren't really relevant previously, namely, security.  In particular, I've been thinking about how to isolate the guest VM processes from each other.
  It's decades-old best practice to isolate different server services to different machines to help prevent, say, security problems with your web server also comprising your mysql server.  When you start virtualizing your infrastructure, you lose this benefit to a degree, if someone manages to compromise one of your VM servers and manages to exploit a vulnerability in your hypervisor to gain access to the host, it's no big leap to assume that they may be able to get access to your other virtual machines running on that host.
  It seems to me, that if you want to improve your resilience to this kind-of exploit that you want to increase the isolation of your VM processes from each other.  You could, say, run them as different users.  If you're careful about permissions, then you gain back some of the security of running your servers on seperate physical hardware.  An attacker could still exploit a local privilege escalation bug, but it at least provides another line of defense.
  This sort of thing seems to be possible with qemu virtual machines, though it does require some work to get anything besides user mode networking working. 
  On the other hand, this sort of thing seems to be largely impossible with libvirt.  It's possible to run as qemu vms as different users using 'qemu://session' but the documentation seems to suggest that this limits you to using the qemu user mode networking, which isn't practical for running publicly accessible servers.  Since, as far as I can tell, all of the visualization management products around are based off of libvirt, this surprises me.  It seems to me that someone would have wanted to try and do something like this before, but nobody has (as far as I can tell).
  Indeed, there seems to be very little documentation out there about using qemu with tun/tap networking when running as non-root user.  There is some documentation out there about using VDE (mostly via the deprecated vdeq wrapper), but alot of qemu write-ups skip over it.  There's enough out there to suggest it's possible, it just doesn't seem to be written up anywhere (yet, maybe I'll write it up myself someday).
  So, this makes me wonder, 'why not?'.  Are there other things people are doing to isolate guest VMs from each other?
  What are people running production services in VMs doing?

  I suppose this is also something to think about, but I don't think I'd be that worried about it for my use-case.  The majority of systems I plan to run could run completely headless and the physical security for the host computers should be pretty good.  I'm more concerned remote code exploits in one particular VM allowing an attacker to execute on the host or in other guest VMs.

• Multiple Airports with private and isolated guest wireless networks available from both

  Hi,
  I've been searching online for some equipment that can do what i want to do without going into the enterprise grade and spending $5000 on Cisco gear.
  Consider two locations approx 80m apart - Primary is a house, and secondary location is a garage. A Cat6 run exists between the two.
  The goal would be to have a wireless primary router in the house for wired and private wireless internet access, with an additional Guest wireless that is isolated from the private network that I can turn on and off if guests are coming over.
  In addition, the second location should also support both wired and wireless connections.
  It seems simple to me, one device in each location. The WAN port on the garage device would connect back to the house device. The two devices should be smart enough to know that one is extending the other. Someone on the guest wireless that is connected via the garage AP would not be able to see the wired devices even though it's traffic is going across the same wire back to the primary router.
  Can I do this without spending a fortune?
  Thanks

  Two Apple AirPorts would do most....but not all...of what you want.
  A few notes.....
  In order for the guest network feature to work correctly on an AirPort router, the "main" AirPort in the house must connect to a simple modem......not a modem/router or gateway device.  That is a deal killer for some users right there.
  When the guest network is activated in the garage, it must be activated for both AirPorts....house and garage.
  You could actiivate the guest network for the house and leave the guest network off in the garage if you wanted, no problem there.....but.....you could not activate the guest network in the garage without also activating it in the house first.
  "Guests" can only connect to the guest network using wireless. Up to you to decide if you want to leave the guest network open or use a password that would need to be used to connect to the network.
  But.....If "guests" had physical access to the AirPort in the garage....and they connected to one of the Ethernet ports on the AirPort in the garage, they would be connecting to your main or private network.
  So, if something like this was a concern, you would have to either hide the AirPort in the garage and trust that users would not find it....or....find some way to limit access to the back panel of the AirPort so that users could not connect to it using an Ethernet cable.
  If the features and installation limitations are acceptable, you could spend as little as $100 for each AirPort Express.
  If you wanted better performance from the AirPort in the house, you could use an AirPort Extreme there...about $200 and an AirPort Express in the garage.
  The deluxe option would be to use two AirPort Extremes.
  Finally, you would want to make sure that you understood the store's return policy before you buy.....in case something unexpected crops up, as can sometimes be the case.

• Advice regarding house guest internet access through Airport Express

  I would like to set up trouble-free (on my part and my house guests) access to the internet. Any thoughts or suggestions? It seems to me that if folks may have reasonable access to cable/satellite TV and telephone, or what have you, it is also reasonable to make available to them the internet. What is the best way to go about doing this? I have an existing home wireless system using Airport Express (may also work in a Netgear WG614 wireless router). Mostly, I am concerned with the technical aspects but would also like to hear from anyone regarding the legal/social ramifications. Any such solutions must take into account both Windows and Mac environments. Thanks.
  17 in. iMac G5 ALS (1.8 GHz)   Mac OS X (10.4.5)   iMac G3 DV (400 MHz), Airport Express, 3rd gen iPod

  Meme,
  A nice touch, and one that made me choose one small hotel over another when I used to travel a lot.
  I can't give a complete solution, but I can give you bits of info, which others will also do.
  One thing that probably is a must, is to set Wireless Isolation. That is that although all the wireless clients can see the internet, they can't see each other. I'm not sure that the AE supports this, I honestly thought it did, but now I can't find it. The Netgear will support it.
  Wireless encryption will be a must too, you may even want to make it a "closed network", so that the network does not advertise it's presence. Clients wishing to connect must specify ("key in") the network name and connect. That may be just a little too difficult for some business travellers. Back to wireless encryption, some may say to use some ultra-modern hi-tech secure encryption algorithm to be really safe, but these are enormous long passwords that your clients will have to key. Those with older computers may not support the latest encryption methods. Some may recommend WPA, I'd say WEP (more compatability) and a simple (non-dictionary) password, like "@pple" or "@irPortXPr3ss" or any easy to communicate word(s) with a few letters replaced by vowels or (printable) symbols. It is up to you how often you change the password.

• Airport Express Guest Network

  This could be an Apple Airport hardware issue but wanted to double check I haven't made a mistake in setup or if anyone else has experienced this fault. We have Sky Broadband Unlimited installed running through a Sky Hub with Apple Airport Running an additional Wireless network, primarily for the 'Guest Network' feature. When enabling the guest network, we are able to broadcast the signal however the device trying to connect is unable to complete connection. I'm half confident that it could be an issue relating to the Airport requiring two IP addresses. One for the standard 'full access' signal and the other for an 'Internet Only Access' Guest Network, however it is only given one IP via DHCP on Sky Hub. My immediate thought is to set the Airport to allocate IP Addresses as opposed to the Sky Hub. Any thoughts anyone?

  I was able to get the guest facility of the AirPort Extreme to work by double NATing, but it leads to all sorts of other issues with complex environments. If yours s a simple LAN/wifi environment then switch the Airport Express to route instead of bridging and leave the Sky Hub with the same default settings. But if you have ports forwarded or games consoles this isn't recommended. I noticed you put a like on my other post concerning switching on the wifi on the Sky router with wifi isolation enabled and using that for your guests; this is also a good solution to the issue.

• Main network for backups, Guest for iTunes

  I have a 2T TC (4th gen) up and running with both a main network (192...) and a guest network (172...) connected to DSL modem for high-speed internet access.
  I want to dedicate the main network for use by family members - computers (4 Macs, 2 PCs), printers, etc. I wish to use the guest network for the kids and their friends to access the internet with their iPods/Pads/Phones, etc. So far so good.
  I currently have the kids controlling iTunes/AirPlay into my whole house audio system. I configured an old PC configured as a music server connecting wirelessly to the main (192) net of the TC. It runs iTunes and sends its Apple Lossless CD files to an AirPort Express (wireless OFF, hardwired to Ethernet backbone) which converts them to optical and sends them to an audio receiver for D/A conversion and amplificaiton. The kids have the "Remote" app on their handhelds which allows them to either operate iTunes on the music server (with Dad's old crummy music) or to play their own iTunes music (term used loosely) via the same route (TC main net-> backbone -> AirPort -> receiver). OK, so far so good.
  The question is how do I put the music server, AirPort Express and kids' handhelds on the guest network so I don't have to give out access to my main network to "friends of friends of friends"? It seems the Guest Network is only available wirelessly from the TC (on second floor). If i need to add wireless capability where the TC can't provide it (walkout level pool and patio), how can I extend the guest network? I have an older Netgear Wireless Routher that could be used. Also, I have ready acess to the ethernet backbone. Any ideas? Any help would be greatly appreciated.

  This is a fairly complex setup so let me toss in a hint.. and you will need to see if you can pursue it. Your ethernet backbone, so called, can run multiple IP address ranges or subnets. It is not obvious but the setup will require you to set addresses manually in the computer.
  In OSX Just click the + in the network box and a dialogue box will pop up allowing you to set a secondary connection to either airport or ethernet. Select the one to use and then give the connection an obvious name.. eg secondaryeth1
  In Windows PC you can setup secondary IP, but the first connection needs to be manually set as well. ie you cannot do dhcp and then add a secondary IP.
  Then select that connection and give it a new IP in the secondary network using manual IP.. only give ip and subnet.. do not use a gateway (router) or dns address.. that will confuse the main gateway of the computer. You can then lose internet connection, and is not required for local LAN connection.
  .. end of hint.
  Pure speculation.. you might be able to setup a secondary IP on the airport and connect to the guest network. But you will need to be careful that the server pc doesn't simply become a bridge between the two networks.
  Or the connection to secondary IP via ethernet might allow it connect to the wireless connection on the TC if it isn't isolated.
  The other method is to use your "I have an older Netgear Wireless Routher that could be used."
  The trick here would be to use this as a WAP connected directly to the music server, via ethernet, on a secondary IP address. Don't use the guest network on the TC at all.
  Whether this would then work to control music to the airport express.. that is where I get lost. And your setup is outside of my experience..

• Qemu-kvm guest virtio networking halts

  Hi,
  I recently switched from Debian to Archlinux, but seems to have stumbled on a bug that has made the transition a bit painfull since i rely on virtualization.
  Overview:
  qemu-kvm guests network interface dies after "some"  traffic over nfs via virtio interface.
  Using e1000 instead of virtio network seems to solve the problem som far... but at a cost of performance.
  Any suggestions on how to resolve the issue or how to work around the problem without sacrificing performance?
  How to reproduce:
  Configure the guest to use virtio as network driver and attach the interface to a bridge that the hosts has a configured interface on.
  Export a share with a large amount of data over nfs from the host and read that data over nfs from the guest.
  ( what is funny/strange is that i could not get nuttcp to force the problem... )
  Detail:
  My guest are connected via tap interfaces to a bridge on my host and they are using virtio.
  After retreiving "some" network traffic from the host over nfs the guests interface stops receiving traffic and logs "page allocation failure. order:0, mode:0x20" ( Log included below )
  - tshark on guest verifies guest sending arp requests but not receiving arp reply
  - tshark on host show that the host is both receiving arp request and sending arp reply
  Guests are running with the following parameters:
  %sudo /usr/bin/qemu-system-x86_64 -M pc-0.11 -enable-kvm -m 512 -smp 1 -name myguest -boot c -drive file=/mnt/myguest.img,if=virtio,index=0,boot=on -net nic,vlan=0,model=virtio,name=virtio.0 -net tap,vlan=0,name=tap.0,ifname=tap0 -serial pty -parallel none -usb -vnc 0.0.0.0:10 -k sv -vga std
  host is currently running:
  qemu-kvm 0.11.0-1
  testing/kernel26 2.6.32-1
  testing/kernel26-firmware 2.6.32-1
  guest is currently running
  testing/kernel26 2.6.32-1
  testing/kernel26-firmware 2.6.32-1
  kernel from testing on both host/guest was a attempt to work around a potential issue in 2.6.30 but the fault is present with both kernels.
  I don't belive that the problem lies on the archlinux guest since a Debian(Lenny) guest experiances the same problem.
  The same guest on the same hardare running on Debian(Lenny) as a host works fine.
  from /var/log/messages
  2009-12-14T00:10:58.160723+01:00 myguest kernel: tar: page allocation failure. order:0, mode:0x20
  2009-12-14T00:10:58.160809+01:00 myguest kernel: Pid: 31303, comm: tar Not tainted 2.6.32-ARCH #7
  2009-12-14T00:10:58.160821+01:00 myguest kernel: Call Trace:
  2009-12-14T00:10:58.160859+01:00 myguest kernel: <IRQ> [<ffffffff810d5778>] ? __alloc_pages_nodemask+0x6b8/0x700
  2009-12-14T00:10:58.160864+01:00 myguest kernel: [<ffffffffa019cb4b>] ? try_fill_recv+0x8b/0x1c0 [virtio_net]
  2009-12-14T00:10:58.160869+01:00 myguest kernel: [<ffffffffa019d57d>] ? virtnet_poll+0x3ad/0x6e0 [virtio_net]
  2009-12-14T00:10:58.160872+01:00 myguest kernel: [<ffffffff8129146a>] ? net_rx_action+0x15a/0x2a0
  2009-12-14T00:10:58.160876+01:00 myguest kernel: [<ffffffffa019c2b5>] ? skb_recv_done+0x25/0x40 [virtio_net]
  2009-12-14T00:10:58.160884+01:00 myguest kernel: [<ffffffff8105d177>] ? __do_softirq+0xd7/0x240
  2009-12-14T00:10:58.160887+01:00 myguest kernel: [<ffffffff810131dc>] ? call_softirq+0x1c/0x30
  2009-12-14T00:10:58.160891+01:00 myguest kernel: <EOI> [<ffffffff81015315>] ? do_softirq+0x65/0xa0
  2009-12-14T00:10:58.160894+01:00 myguest kernel: [<ffffffff8105d07e>] ? local_bh_enable+0xae/0xb0
  2009-12-14T00:10:58.160901+01:00 myguest kernel: [<ffffffff81291f44>] ? dev_queue_xmit+0x144/0x4e0
  2009-12-14T00:10:58.160905+01:00 myguest kernel: [<ffffffff812c1b36>] ? ip_queue_xmit+0x196/0x440
  2009-12-14T00:10:58.160908+01:00 myguest kernel: [<ffffffff812a82de>] ? sch_direct_xmit+0x6e/0x1e0
  2009-12-14T00:10:58.160912+01:00 myguest kernel: [<ffffffff812d61c8>] ? tcp_transmit_skb+0x3a8/0x750
  2009-12-14T00:10:58.160915+01:00 myguest kernel: [<ffffffff812d875c>] ? tcp_write_xmit+0x1ec/0xa10
  2009-12-14T00:10:58.160923+01:00 myguest kernel: [<ffffffff812890bf>] ? __alloc_skb+0x6f/0x180
  2009-12-14T00:10:58.160926+01:00 myguest kernel: [<ffffffff812d8fe3>] ? __tcp_push_pending_frames+0x23/0x90
  2009-12-14T00:10:58.160930+01:00 myguest kernel: [<ffffffff812cb9e9>] ? tcp_sendmsg+0x8b9/0xbb0
  2009-12-14T00:10:58.160933+01:00 myguest kernel: [<ffffffff8127f95e>] ? sock_sendmsg+0x12e/0x150
  2009-12-14T00:10:58.160940+01:00 myguest kernel: [<ffffffff81074040>] ? autoremove_wake_function+0x0/0x30
  2009-12-14T00:10:58.160944+01:00 myguest kernel: [<ffffffff8127fd79>] ? kernel_sendmsg+0x39/0x50
  2009-12-14T00:10:58.160947+01:00 myguest kernel: [<ffffffffa0291292>] ? xs_send_kvec+0x82/0x90 [sunrpc]
  2009-12-14T00:10:58.160951+01:00 myguest kernel: [<ffffffffa02912f4>] ? xs_sendpages+0x54/0x200 [sunrpc]
  2009-12-14T00:10:58.160955+01:00 myguest kernel: [<ffffffffa02915d8>] ? xs_tcp_send_request+0x58/0x190 [sunrpc]
  2009-12-14T00:10:58.160962+01:00 myguest kernel: [<ffffffffa028ee3c>] ? xprt_transmit+0x7c/0x300 [sunrpc]
  2009-12-14T00:10:58.160966+01:00 myguest kernel: [<ffffffffa028bf3f>] ? call_transmit+0x18f/0x2b0 [sunrpc]
  2009-12-14T00:10:58.160969+01:00 myguest kernel: [<ffffffffa029437a>] ? __rpc_execute+0xaa/0x2b0 [sunrpc]
  2009-12-14T00:10:58.160973+01:00 myguest kernel: [<ffffffffa028cae1>] ? rpc_run_task+0x31/0x80 [sunrpc]
  2009-12-14T00:10:58.160980+01:00 myguest kernel: [<ffffffffa0323d1e>] ? nfs_read_rpcsetup+0x17e/0x1e0 [nfs]
  2009-12-14T00:10:58.160984+01:00 myguest kernel: [<ffffffffa03238b0>] ? readpage_async_filler+0x0/0x190 [nfs]
  2009-12-14T00:10:58.160988+01:00 myguest kernel: [<ffffffffa03238b0>] ? readpage_async_filler+0x0/0x190 [nfs]
  2009-12-14T00:10:58.160991+01:00 myguest kernel: [<ffffffffa032158a>] ? nfs_pageio_doio+0x2a/0x70 [nfs]
  2009-12-14T00:10:58.160995+01:00 myguest kernel: [<ffffffffa032161b>] ? nfs_pageio_add_request+0x4b/0xf0 [nfs]
  2009-12-14T00:10:58.161003+01:00 myguest kernel: [<ffffffffa03239aa>] ? readpage_async_filler+0xfa/0x190 [nfs]
  2009-12-14T00:10:58.161007+01:00 myguest kernel: [<ffffffffa03238b0>] ? readpage_async_filler+0x0/0x190 [nfs]
  2009-12-14T00:10:58.161010+01:00 myguest kernel: [<ffffffff810d7dc1>] ? read_cache_pages+0xa1/0x100
  2009-12-14T00:10:58.161014+01:00 myguest kernel: [<ffffffffa03234bd>] ? nfs_readpages+0x19d/0x2b0 [nfs]
  2009-12-14T00:10:58.161021+01:00 myguest kernel: [<ffffffffa0324230>] ? nfs_pagein_one+0x0/0xe0 [nfs]
  2009-12-14T00:10:58.161024+01:00 myguest kernel: [<ffffffff810d7709>] ? __do_page_cache_readahead+0x1c9/0x280
  2009-12-14T00:10:58.161028+01:00 myguest kernel: [<ffffffff810d77dc>] ? ra_submit+0x1c/0x30
  2009-12-14T00:10:58.161031+01:00 myguest kernel: [<ffffffff810d0629>] ? generic_file_aio_read+0x339/0x600
  2009-12-14T00:10:58.161035+01:00 myguest kernel: [<ffffffff8110edb2>] ? do_sync_read+0xe2/0x120
  2009-12-14T00:10:58.161042+01:00 myguest kernel: [<ffffffff81074040>] ? autoremove_wake_function+0x0/0x30
  2009-12-14T00:10:58.161045+01:00 myguest kernel: [<ffffffff81331212>] ? preempt_schedule_irq+0x42/0x70
  2009-12-14T00:10:58.161049+01:00 myguest kernel: [<ffffffff8104ad02>] ? finish_task_switch+0x42/0xc0
  2009-12-14T00:10:58.161052+01:00 myguest kernel: [<ffffffff8110fb65>] ? vfs_read+0xb5/0x1a0
  2009-12-14T00:10:58.161059+01:00 myguest kernel: [<ffffffff8110fd3e>] ? sys_read+0x4e/0x90
  2009-12-14T00:10:58.161063+01:00 myguest kernel: [<ffffffff81012e8b>] ? device_not_available+0x1b/0x20
  2009-12-14T00:10:58.161066+01:00 myguest kernel: [<ffffffff81012042>] ? system_call_fastpath+0x16/0x1b
  2009-12-14T00:10:58.161068+01:00 myguest kernel: Mem-Info:
  2009-12-14T00:10:58.161071+01:00 myguest kernel: DMA per-cpu:
  2009-12-14T00:10:58.161077+01:00 myguest kernel: CPU 0: hi: 0, btch: 1 usd: 0
  2009-12-14T00:10:58.161080+01:00 myguest kernel: DMA32 per-cpu:
  2009-12-14T00:10:58.161083+01:00 myguest kernel: CPU 0: hi: 186, btch: 31 usd: 137
  2009-12-14T00:10:58.161086+01:00 myguest kernel: active_anon:887 inactive_anon:896 isolated_anon:0
  2009-12-14T00:10:58.161089+01:00 myguest kernel: active_file:4740 inactive_file:112288 isolated_file:0
  2009-12-14T00:10:58.161092+01:00 myguest kernel: unevictable:0 dirty:8 writeback:0 unstable:0
  2009-12-14T00:10:58.161099+01:00 myguest kernel: free:728 slab_reclaimable:1589 slab_unreclaimable:1798
  2009-12-14T00:10:58.161102+01:00 myguest kernel: mapped:1605 shmem:17 pagetables:332 bounce:0
  2009-12-14T00:10:58.161111+01:00 myguest kernel: DMA free:1988kB min:84kB low:104kB high:124kB active_anon:0kB inactive_anon:0kB active_file:0kB inactive_file:13860kB unevictable:0kB isolated(anon):0kB isolated(file):0kB present:15352kB mlocked:0kB dirty:0kB writeback:0kB mapped:0kB shmem:0kB slab_reclaimable:16kB slab_unreclaimable:56kB kernel_stack:0kB pagetables:0kB unstable:0kB bounce:0kB writeback_tmp:0kB pages_scanned:0 all_unreclaimable? no
  2009-12-14T00:10:58.161119+01:00 myguest kernel: lowmem_reserve[]: 0 489 489 489
  2009-12-14T00:10:58.161162+01:00 myguest kernel: DMA32 free:924kB min:2784kB low:3480kB high:4176kB active_anon:3548kB inactive_anon:3584kB active_file:18960kB inactive_file:435292kB unevictable:0kB isolated(anon):0kB isolated(file):0kB present:500896kB mlocked:0kB dirty:32kB writeback:0kB mapped:6420kB shmem:68kB slab_reclaimable:6340kB slab_unreclaimable:7136kB kernel_stack:1104kB pagetables:1328kB unstable:0kB bounce:0kB writeback_tmp:0kB pages_scanned:0 all_unreclaimable? no
  2009-12-14T00:10:58.161167+01:00 myguest kernel: lowmem_reserve[]: 0 0 0 0
  2009-12-14T00:10:58.161171+01:00 myguest kernel: DMA: 1*4kB 0*8kB 0*16kB 2*32kB 2*64kB 2*128kB 2*256kB 0*512kB 1*1024kB 0*2048kB 0*4096kB = 1988kB
  2009-12-14T00:10:58.161179+01:00 myguest kernel: DMA32: 93*4kB 1*8kB 2*16kB 0*32kB 2*64kB 3*128kB 0*256kB 0*512kB 0*1024kB 0*2048kB 0*4096kB = 924kB
  2009-12-14T00:10:58.161182+01:00 myguest kernel: 117053 total pagecache pages
  2009-12-14T00:10:58.161184+01:00 myguest kernel: 0 pages in swap cache
  2009-12-14T00:10:58.161187+01:00 myguest kernel: Swap cache stats: add 0, delete 0, find 0/0
  2009-12-14T00:10:58.161194+01:00 myguest kernel: Free swap = 0kB
  2009-12-14T00:10:58.161196+01:00 myguest kernel: Total swap = 0kB
  2009-12-14T00:10:58.161199+01:00 myguest kernel: 131056 pages RAM
  2009-12-14T00:10:58.161201+01:00 myguest kernel: 4443 pages reserved
  2009-12-14T00:10:58.161204+01:00 myguest kernel: 8899 pages shared
  2009-12-14T00:10:58.161210+01:00 myguest kernel: 120326 pages non-shared
  Last edited by nlights (2009-12-17 22:10:20)

  Mr.Elendig wrote:Bridging is the best way todo it, so you should give us some more info on your atempt at it, so that we can help you fix it.
  Ok, I've followed the instructions from the wiki.
  One problem is that I'm on a laptop. eth0 is wireless and eth1 is wired. I chose to use eth1 since I thought it'd be easier to get working on one device before trying to make it work on both.
  1. bridge and tun modules are loaded from rc.conf
  2. In /etc/conf.d/bridges I have this:
  bridge_br0="eth1"
  BRIDGE_INTERFACES=(br0)
  3. In /etc/rc.conf I changed my networking portion to this:
  eth1="eth1 up"
  br0="dhcp"
  INTERFACES=(eth1 br0)
  4. In /etc/udev/rules.d/65-kvm.rules I have this:
  KERNEL=="tun", NAME="net/%k", GROUP="kvm", MODE="0660"
  5. My user is part of the kvm group, although I have also tried running qemu-kvm as root.
  6. In /etc/qemu-ifup I put:
  #!/bin/sh
  echo "Executing /etc/qemu-ifup"
  echo "Bringing up $1 for bridged mode..."
  sudo /sbin/ifconfig $1 0.0.0.0 promisc up
  echo "Adding $1 to br0..."
  sudo /usr/sbin/brctl addif br0 $1
  sleep 2
  7. Using visudo I added this to the bottom:
  Cmnd_Alias QEMU=/sbin/ifconfig,/sbin/modprobe,/usr/sbin/brctl,/usr/bin/tunctl
  %kvm ALL=NOPASSWD: QEMU
  8. I launch qemu-kvm with the following script:
  USERID=`whoami`
  IFACE=`sudo tunctl -b -u $USERID`
  qemu-kvm -net nic -net tap,ifname="$IFACE" -vga std -m 1024 -k en-us -usbdevice tablet -localtime /dev/sda
  sudo tunctl -d $IFACE &> /dev/null
  My system starts with br0 getting the dhcp IP on boot, so that part is working.
  When I run the qemu-kvm start script I get this error (running as user or root):
  /etc/qemu-ifup: could not launch network script
  Could not initialize device 'tap'
  /etc/qemu-ifup is executable
  Last edited by shakin (2009-06-05 19:13:14)

• Guest Account Bug Resets User Accounts and Deletes Files on Snow Leopard

  Hi Everyone
  Well basically, I hadn't used my Guest Account since upgrading to snow leopard, and I accidentaly clicked it instead of my user account this morning, to find that when I logged into my normal account ALL my files, settings, mail etc had been reset.
  So I'm posting this to let people know, (and hopefully Apple if they don't know about this) what's happening.
  Here's the post I sent to Apple Feedback:
  Hi,
  Well basically, I upgraded to snow leopard recently, everything was working fine, I've upgraded to 10.6.1 and have all the latest software updates etc, so anyway this morning I turned my computer on and accidentaly clicked on the Guest Account on the login screen instead of my normal one, so it started trying to load the guest account (which I hadn't loaded since before the upgrade).
  So I wait about two minutes, and nothing atall happens apart from it loading on the logon page, so I pressed Enter to return me to the login window.
  So once I was returned I logged on as my normal user, to find my Desktop reset, my Dock reset, my Documents, Music and Photos reset and all my software reset.
  So I restarted my computer and logged on again, it was exactly the same, everything gone. At which point I looked in the Users folder to find that my User profile had been removed and replaced with a fresh one with the same name. So I then spent half an hour restoring everything from my Time Machine backup.
  I hope Apple are aware of this issue and would greatly appreciate to hear back on the status of what's happening about it, as it doesn't seem to be an isolated issue it's been happening to other people over the last month.
  Here's a few posts from other people who've had this problem, and an article on the CNET site MacFixIt about the bug:
  http://discussions.apple.com/message.jspa?messageID=10123656#10123656
  http://discussions.apple.com/thread.jspa?threadID=2157518&start=15&tstart=0
  http://discussions.apple.com/thread.jspa?threadID=2171494&tstart=0
  http://discussions.apple.com/thread.jspa?threadID=2142272&start=30&tstart=0
  Reports on the Internet:
  http://9to5mac.com/snowleopards_eatusers
  http://reviews.cnet.com/8301-13727_7-10346974-263.htmll?tag=mncol;txt
  To clarify, I have an iMac (aluminium 20" one), with a 2.4ghz processor and 3GB of Ram, please update me on anything that's going on with this issue as I don't want it to continue happening to others who might not have backups,
  Thanks,
  Daniel.
  So if anybody else expieriences this issue your not alone, there's a couple of other posts from people who've had problems above in the middle of my feedback letter. Unfortunately in my case it deleted my Home folder and replaced it with a new one, so if this happens to you then your only option is to restore from a backup. You can attempt to use file recovery software if you don't have one, but I haven't tried this and don't know how well it would work.
  Hope I've helped clarify things for anybody who this has happened to,
  Daniel.
  Message was edited by: dbferrari

  Maybe it will be usefull but last days I tried to login as *Guest* (because I didn't want to logout as my user). In *system preferences* I allowed guest login, then I fast switched to *Guest Account*, do some changes in profile like mouse movement and so on, then I correctly logged out and logged once more to my account. Now I affraid off rebooting macbook (I always hybernate system with changed default settings which store memory into HDD) until the fix will be released. Probably the data was not removed, because I was logged in as me and */Users/$USER* was still in use. Now I am wondering if I can reboot safelly macbook without losing my data..
  For backup do I need to use some command for backuping home to windows machine through *SMB*? because unix like systems have links and so on.. (in *AIX OS* I have to use "*rsync*" command, which copy whole data exactly as it is stored on filesystem - if there is link it will copy only that link, not file which is linked...)

• Client isolation and the Bonjour gateway on WLC 7.4.1

  Hi,
  I am considering upgrading our 5508 WLCs to version 7.4.1 to take advantage of the Bonjour gateway. What I want to do is allow clients on our guest wireless network to access things like the Apple TV in our conference rooms. My intention would be to have the Apple TVs on a separate vlan. Obviously, the Bonjour gateway would allow for access between these 2 networks. The question I have is this. If I have client isolation turned on my guest wireless network, is it still possible for these devices to access Apple TVs on another network?
  Any and all information is appreciated!
  Thanks!

  If the Apple TV on the wireless lan , that wont work.
  here is the reference:
  http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_tech_note09186a0080bb1d7c.shtml
  please make sure to rate correct answers

• VLAN Configuration for Internal and Guest Wireless

  Hello,
  We are using the following hardware…
  SG300-52MP switch -- latest firmware
  ASA 5512-X firewall -- 9.1
  Aironet AP1131AG WAP
  We have the following networks…
  10.252.4.0/24 = Internal = ASA-01 interface = VLAN1
  10.252.6.0/24 = Guest = ASA-02 interface = VLAN6
  10.252.6.0/24 = VOIP = ASA-03 interface = VLAN3
  The Aironet supports two SSIDs, Secure (RADIUS) and Guest (WPA2), which are supposed to provide access to the appropriate interface on the ASA.
  Relevant parts of the WAP configuration are…
  dot11 ssid GUEST
     vlan 6
  dot11 ssid SECURE
     vlan 1
  interface Dot11Radio0
  no ip address
  ssid GUEST
  ssid SECURE
  interface Dot11Radio0.1
  encapsulation dot1Q 1 native
  no ip route-cache
  bridge-group 1
  interface Dot11Radio0.6
  encapsulation dot1Q 6
  no ip route-cache
  bridge-group 255
  interface Dot11Radio1
  no ip address
  no ip route-cache
  ssid GUEST
  ssid SECURE
  interface Dot11Radio1.1
  encapsulation dot1Q 1 native
  no ip route-cache
  bridge-group 1
  interface Dot11Radio1.6
  encapsulation dot1Q 6
  no ip route-cache
  bridge-group 255
  interface FastEthernet0
  no ip address
  no ip route-cache
  interface FastEthernet0.1
  encapsulation dot1Q 1 native
  no ip route-cache
  bridge-group 1
  interface FastEthernet0.6
  encapsulation dot1Q 6
  no ip route-cache
  bridge-group 255
  interface BVI1
  ip address 10.252.4.4 255.255.255.0
  no ip route-cache
  ip default-gateway 10.252.4.1
  We can manage the WAP through it’s Internal IP address (10.252.4.4).
  And the “Guest” wireless network is working -- connecting to that SSID provides the client with the correct IP addressing (10.242.6.X from VLAN6/ASA-02).  [Note:  the VOIP DHCP and network access also works correctly.]
  The “Secure” wireless network is not working however -- the client never receives an Internal DHCP address from ASA-01, and even if you hard-code the client’s IP, no IP4 traffic ever passes.
  [Note:  connecting a device to a SG300 port with the “Default” configuration provides the client with an Internal DHCP configuration, and it works as intended.] 
  While this may be a problem with the WAP configuration, I would like to confirm that it is not an issue with the switch not passing traffic correctly.
  I have a feeling that I have configured the VLANs on the ports incorrectly.
  Relevant parts of the SG300 configuration are...
  v1.3.0.62 / R750_NIK_1_3_647_260
  vlan database
  vlan 3,6
  ip dhcp snooping
  ip dhcp relay address 10.252.4.1
  ip dhcp relay enable
  bonjour interface range vlan 1
  interface vlan 1
  ip address 10.252.4.2 255.255.255.0
  no ip address dhcp
  interface vlan 3
  name VOIP
  interface vlan 6
  name Guest
  interface gigabitethernet45 -- Access mode, Untagged VLAN6
  description ASA-Guest
  ip dhcp snooping trust
  switchport mode access
  switchport access vlan 6
  interface gigabitethernet46 -- Access mode, Untagged VLAN3
  description ASA-VOIP
  ip dhcp snooping trust
  switchport mode access
  switchport access vlan 3
  interface gigabitethernet47 -- Trunk mode, Untagged VLAN1 and Tagged VLAN6
  description WAP1
  switchport trunk allowed vlan add 6
  interface gigabitethernet48 -- Trunk mode
  description ASA-Internal
  ip dhcp snooping trust
  ip dhcp relay enable
  Can someone who understands this switch better than I do please confirm the VLAN configuration?  THANK YOU!

  Welcome to the discussion area!
  +PCI regulations do not consider VLAN a secure way of keeping the data isolated. Does anyone have any technical information on how the device creates the guest wireless network ?+
  I spoke to Apple Support some time ago and was told that Apple uses VLAN to create the Guest network, and also that formal documentation was not available on this topic. I was referred to the AirPort Extreme Specifications for available information.
  This was some time ago, so if you need more up to date info, you might want to try to contact Apple to see if they are willing to share more information about this feature. Although, since VLAN is used, your question may already be answered.
  FWIW, to use the Guest Network feature in a home situation, the AirPort Extreme must be set up as the main router controlling DHCP and NAT on the network. If you were thinking of installing the AirPort Extreme behind another router, the Guest Network feature would not be available in this type of configuration.

• The end of guest networks in Germany using Telkom speedport W921?

  Just a note worth thinking about.
  I am amazed at how little attention is given to above subject and the lack of clear answers in this forum and elsewhere. It seems the new generation of VDSL speedports no longer support Time Capsule/airport to implement guest networks, if the user is not ready to give up on IP based telephony or land line telephony for that matter. The current system of anlalog and isdn telephony will be phased out by Telekom in the mid term, which means that no telephony with current land line numbers will be possible, if the speedport is relegated to a pure modem, which for now worked fine, when configuring the TC as the router with guest net work capability. Using the proposed fast internet via the speedport W 921v only alows the TC to be used in bridge mode, which excludes the implementation of an isolated guest network.
  Flatly put you can either use the high speed internet with all features except guest network by airport and TC, or you have to abstain from land line telephony using your know telekom numbers. This hypothesis is for German users only.
  Any workable solutions to this problem would be higly appreciated. And maybe Apple should address this problem in the architecture of airports and TC's as well.

  Any workable solutions to this problem would be higly appreciated. And maybe Apple should address this problem in the architecture of airports and TC's as well.
  The restriction is purely Apple..
  I have an Asus RT-AC66U and it has no problem creating up to 6 different networks apart from the main network. It makes no difference of what mode it is running. Each of those networks can have their own individual settings including isolation or not. This is using almost the same hardware as the latest AC version Airport. So the answer is obvious.. relegate your apple router to its best function.. an AP.. and buy a router.. a real one.

• No password on guest network = unsecured network overall?

  Hi
  Just wondering if leaving the "guest network" password free creates an unsecured network overall? I just purchased an Airport Extreme to replace a D-link router [that would no longer stream airtunes (to my airport express) since I upgraded to snow leopard. (A common problem it seems)] Airtunes works great but to maintain a connection for the Nintendo DS's in the household I have to leave the guest network without a password. Is this a security issue?
  Thanks
  Evelyn

  Evelyn Bednarz wrote:
  Just wondering if leaving the "guest network" password free creates an unsecured network overall? I just purchased an Airport Extreme to replace a D-link router [that would no longer stream airtunes (to my airport express) since I upgraded to snow leopard. (A common problem it seems)] Airtunes works great but to maintain a connection for the Nintendo DS's in the household I have to leave the guest network without a password. Is this a security issue?
  No. The guest network of an AirPort base station uses a different set of IP addresses, so the two networks are isolated from each other.

• Has my imac been hacked?  appearance of univinted "guest" user?

  I turned off my new imac overnight.  This AM when I turned it on and started to log in there was a "new" guest user on my login screen.
  This seems pretty alarming as if somehow someone has gotten an account on my iMac that I have not authorized.
  Yesterday I activated my icloud account and tested it out some.  Could ths have something to do with this mysterious guest?
  I live in an isolated, rural area so I am doubting that someone is hacking in to my time capsule wireless system but I do have an always on satellite connection.
  Has my computer been backed?
  what should I do now?

  No, you haven't been hacked.
  This should explain:
  http://reviews.cnet.com/8301-13727_7-20119806-263/os-x-10.7.2-with-icloud-showin g-guest-user-account-at-log-in/

• AirPort guest wifi in bridge mode v 6

  Oke... seems the configuration is a very limited to what Apple thinks are the basic needs...
  What I really miss is support for Guest network in bridge mode. It ALMOST workst in  6... a shame you can't configure a DHCP server for the Guest network when the main wifi is in bridge mode. You can enable Guest, the client just won't get any IP address... Please fix this! A really usefull function since the AirPort Extreme is used in situation where it isn't the NAT, DHCP or gateway device!
  Also it should be possible to configure the DHCP ranges for main and guest should indepently of each other... and simple disable the DHCP function for one or both. Also client isolation is a nice option.
  Please make it more Office friendly...
  Really make an more advanced view... the aiport is capable of so much more! A pitty it's potential is limited through software configuration issues...
  So make it so in the next generation of the configuration utility! Thank you

  Please tell Apple what you want here.  This support community is comprised of other users, just like you.  Apple is not here.
  Apple - AirPort Extreme - Feedback