David Hardy wrote:
> Hi guys,
> I've been lurking for a bit and trying to setup wireless nodes for my
> company. The basic premise is that wireless users get the cative
> portal - limiiting web access to permitted users. Once they are on
> they web they can VPN back to the watchguard firewall and get access
> to the 'real' lan.
> Here's the setup I tried today, which seems to meet my requirements
> but leaves me with a slight feeling of unease, like I've left the gas
> on or something ...... All advice gratefully received!
> Wireless subnet - 192.168.a.0/24, DHCP on m0n0wall LAN interface.
> | WEB
> LAN (blue ?) |
> | |
> m0n0wall ---WAN (red) /29 from isp.-----
> WatchGuard 700----PPTP, DHCP 192.168.b.200/28
> | |
> OPT1 LAN
> | |
> The rules I have in place all govern traffic from blue to red. The
> radius server is on OPT1 and deals with captive portal and pptp auth
> for the watchguard.
> I have fallen foul of the pptp passthrough to the same destination
> issue, as all users arriving on the wireless wish to pptp to the
> watchguard. Thinking I was being clever, I have setup a dns forwarder
> rule to catch traffic to the watchguard hostname and forward it to the
> m0n0wall pptp server. This then authenticates using radius and gives
> by dhcp an address in the range of 192.168.b.224/29. To the users it
> looks like it does from home and seems to work very transparantly.
> So, my real questions are:
> 1. Is there an obvious problem with this setup?
> 2. Is it possible that someone could force their IP to one in the
> 192.168.b.0 range and somehow spoof their way onto the OPT1 network?
> 3. I have not defined rules for PPTP, just rules from LAN to WAN. -
> this corresponds o the ANY rule I have for traffic between pptp users
> and the ('real')LAN in the watchguard - is this a fair enough solution?
> I'm tryig to modularise the deployment as we have 8 other UK sites
> that would benefit from identically configured m0n0walls with just a
> few finishing tweeks for each site (hopefully just the OPT1, pptp ip,
> the radius server IPs/shared secretb and the DNS hijacking of the
> watchguard host name to be uniquely set.).
I've sorted this out now, just needed some sleep and to read the manual