On Thu, 2004-11-04 at 02:16, Matt Juszczak wrote:
> OK ... this is how we're going to have our m0n0wall setup. Any
> suggestions would be appreciated.
> LAN1 <--------- m0n01 -----------> WAN
> LAN2 <--------- m0n02 -----------> WAN
Well seen from a network point of vierw it's just two routers with a OPT
interface going to the central server. Are you planning on having trafic
between LAN1 and LAN2 go the same way?
> Chester.mydomain.edu will be a server that we are setting up only
> accessible from LAN1 and LAN2 (LAN1 is a /22 and LAN2 is a /20). We are
Just a matter of setting up the firewall-rules to allow the traffic
> Also, a mysql server will run on chester and we are having a PHP binary
> with mysql support on our m0n0's. When people login to either captive
> portal, the portal will check on chester (via mysql) to see if there is a
> ban on a username or mac address. Something like:
check on username could be made be having a radius-server running on
chester. Then it would be standard setup for monowall. OpenRadius can
also speak with a mySQL backend if I remember correctly.
> This way we can allow our college administration to manage bans on the
> m0n0wall boxes without giving them full access to the webGUI. Comments on
Great solution on hading out the administration - thinking of doing the
same on my semi-public mail-server to the admins of the domains
> We had a quick question though. I wanted to know if there was a way to
> make it so that when m0n0 shuts down, it exports the output of ipfstat -io
> and the ipfw equivelent (not sure what it is off the top of my head) to a
> text file on chester, and then reloads it on boot up. We'd like users who
> are authenticated to not get kicked out if we reboot our box.
I don't think that would be possible, but I might be wrong.
> Other than that one little thing, does everyone feel our solution is a
> good one?
Seems reasenable to me. I have be thinking of having my FW (prior to
monowall) boot as a thin client via the network, but monowall is so
dammed simpel to operate that it has been droped.
> Thanks in advance for anyone's assistance!
Just hope you can you my output!
Henning Wangerin <mailinglists dash after dash 041101 underscore reply dash not dash possible at hpc dot dk>