[ previous ] [ next ] [ threads ]
 
 From:  David Hardy <david at millfarm dot net>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: PPTP VPN and Wireless
 Date:  Thu, 27 Jan 2005 17:54:12 +0000 
David Hardy wrote:

> Hi guys,
>
> I've been lurking for a bit and trying to setup wireless nodes for my 
> company. The basic premise is that wireless users get the cative 
> portal - limiiting web access to permitted users. Once they are on 
> they web they can VPN back to the watchguard firewall and get access 
> to the 'real' lan.
>
> Here's the setup I tried today, which seems to meet my requirements 
> but leaves me with a slight feeling of unease, like I've left the gas 
> on or something ...... All advice gratefully received!
>
> Wireless subnet - 192.168.a.0/24, DHCP on m0n0wall LAN interface.
>                               |
>                               |                           WEB
>                       LAN (blue ?)                   |
>                               |                               |
>                      m0n0wall ---WAN (red) /29 from isp.----- 
> WatchGuard 700----PPTP, DHCP 192.168.b.200/28
>                               
> |                                                                   |
>                          
> OPT1                                                 LAN 
> 192.168.b.0/24                                       
> 192.168.b.0/24                                                       
> |                                               
> |                                                                    |
>
> The rules I have in place all govern traffic from blue to red. The 
> radius server is on OPT1 and deals with captive portal and pptp auth 
> for the watchguard.
>
> I have fallen foul of the pptp passthrough to the same destination 
> issue, as all users arriving on the wireless wish to pptp to the 
> watchguard. Thinking I was being clever, I have setup a dns forwarder 
> rule to catch traffic to the watchguard hostname and forward it to the 
> m0n0wall pptp server. This then authenticates using radius and gives 
> by dhcp an address in the range of 192.168.b.224/29. To the users it 
> looks like it does from home and seems to work very transparantly.
>
> So, my real questions are:
>
> 1. Is there an obvious problem with this setup?
> 2. Is it possible that someone could force their IP to one in the 
> 192.168.b.0 range and somehow spoof their way onto the OPT1 network?
> 3. I have not defined rules for PPTP, just rules from LAN to WAN. - 
> this corresponds o the ANY rule I have for traffic between pptp users 
> and the ('real')LAN in the watchguard - is this a fair enough solution?
>
> I'm tryig to modularise the deployment as we have 8 other UK sites 
> that would benefit from identically configured m0n0walls with just a 
> few finishing tweeks for each site (hopefully just the OPT1, pptp ip, 
> the radius server IPs/shared secretb and the DNS hijacking of the 
> watchguard host name  to be uniquely set.).
>
> Thanks,
>
> David.
>
I've sorted this out now, just needed some sleep and to read the manual 
......

;-)