I've been lurking for a bit and trying to setup wireless nodes for my
company. The basic premise is that wireless users get the cative portal
- limiiting web access to permitted users. Once they are on they web
they can VPN back to the watchguard firewall and get access to the
Here's the setup I tried today, which seems to meet my requirements but
leaves me with a slight feeling of unease, like I've left the gas on or
something ...... All advice gratefully received!
Wireless subnet - 192.168.a.0/24, DHCP on m0n0wall LAN interface.
LAN (blue ?) |
m0n0wall ---WAN (red) /29 from isp.-----
WatchGuard 700----PPTP, DHCP 192.168.b.200/28
The rules I have in place all govern traffic from blue to red. The
radius server is on OPT1 and deals with captive portal and pptp auth for
I have fallen foul of the pptp passthrough to the same destination
issue, as all users arriving on the wireless wish to pptp to the
watchguard. Thinking I was being clever, I have setup a dns forwarder
rule to catch traffic to the watchguard hostname and forward it to the
m0n0wall pptp server. This then authenticates using radius and gives by
dhcp an address in the range of 192.168.b.224/29. To the users it looks
like it does from home and seems to work very transparantly.
So, my real questions are:
1. Is there an obvious problem with this setup?
2. Is it possible that someone could force their IP to one in the
192.168.b.0 range and somehow spoof their way onto the OPT1 network?
3. I have not defined rules for PPTP, just rules from LAN to WAN. - this
corresponds o the ANY rule I have for traffic between pptp users and the
('real')LAN in the watchguard - is this a fair enough solution?
I'm tryig to modularise the deployment as we have 8 other UK sites that
would benefit from identically configured m0n0walls with just a few
finishing tweeks for each site (hopefully just the OPT1, pptp ip, the
radius server IPs/shared secretb and the DNS hijacking of the watchguard
host name to be uniquely set.).
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.302 / Virus Database: 265.7.4 - Release Date: 1/25/2005