[ previous ] [ next ] [ threads ]
 
 From:  David Hardy <david at millfarm dot net>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  PPTP VPN and Wireless
 Date:  Wed, 26 Jan 2005 23:11:45 +0000
Hi guys,

I've been lurking for a bit and trying to setup wireless nodes for my 
company. The basic premise is that wireless users get the cative portal 
- limiiting web access to permitted users. Once they are on they web 
they can VPN back to the watchguard firewall and get access to the 
'real' lan.

Here's the setup I tried today, which seems to meet my requirements but 
leaves me with a slight feeling of unease, like I've left the gas on or 
something ...... All advice gratefully received!

Wireless subnet - 192.168.a.0/24, DHCP on m0n0wall LAN interface.
                               |
                               |                           WEB
                       LAN (blue ?)                   |
                               |                               |
                      m0n0wall ---WAN (red) /29 from isp.----- 
WatchGuard 700----PPTP, DHCP 192.168.b.200/28
                               |                                         
                           |
                          OPT1                                           
       LAN 192.168.b.0/24                    
                    192.168.b.0/24                                      
                  |                 
                               
|                                                                    |

The rules I have in place all govern traffic from blue to red. The 
radius server is on OPT1 and deals with captive portal and pptp auth for 
the watchguard.

I have fallen foul of the pptp passthrough to the same destination 
issue, as all users arriving on the wireless wish to pptp to the 
watchguard. Thinking I was being clever, I have setup a dns forwarder 
rule to catch traffic to the watchguard hostname and forward it to the 
m0n0wall pptp server. This then authenticates using radius and gives by 
dhcp an address in the range of 192.168.b.224/29. To the users it looks 
like it does from home and seems to work very transparantly.

So, my real questions are:

1. Is there an obvious problem with this setup?
2. Is it possible that someone could force their IP to one in the 
192.168.b.0 range and somehow spoof their way onto the OPT1 network?
3. I have not defined rules for PPTP, just rules from LAN to WAN. - this 
corresponds o the ANY rule I have for traffic between pptp users and the 
('real')LAN in the watchguard - is this a fair enough solution?

I'm tryig to modularise the deployment as we have 8 other UK sites that 
would benefit from identically configured m0n0walls with just a few 
finishing tweeks for each site (hopefully just the OPT1, pptp ip, the 
radius server IPs/shared secretb and the DNS hijacking of the watchguard 
host name  to be uniquely set.).

Thanks,

David.


-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.302 / Virus Database: 265.7.4 - Release Date: 1/25/2005