[ previous ] [ next ] [ threads ]
 From:  "Magne Andreassen" <magne dot andreassen at bluezone dot no>
 To:  "'Jim McBeath'" <jimmc at macrovision dot com>
 Cc:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] wireless+IPsec+RedHat9?
 Date:  Wed, 3 Dec 2003 10:45:24 +0100
Jim McBeath wrote:
> Your comments from that post:
> > So what i am thinking:
> > -DHCP on wireless interface. (not possible in m0n0wall(...yet))
> This step I got, and it works fine without PPTP.  I'm still 
> unclear as to when and how PPTP gets started on my wireless 
> connection, and when the DHCP address is supposed to get handed out.

DHCP is of course optional, but if you _only_ allow PPTP traffic in
on your wireless interface, there should be no huge security issues 
with serving DHCP on it. right? At least for myself, I have a Windoze
client, and I am lazy, so I dont bother to go changing that ip-address
everytime I get home.
Just to be clear, DHCP and PPTP have no dependensies...

> > -Enable PPTP server in m0n0wall.
> Here's where I need some documentation.  (Has anybody started 
> on that m0n0wall manual yet?)  On the PPTP page in m0n0wall, 
> I checked the "Enable PPTP Server" box.  What am I supposed 
> to enter for the "Server address" and the "Remote address 
> range"?  Should the Server address be the address of the 
> m0n0wall wireless port, a made-up number, or what?  Likewise, 
> does it matter what the Remote address range is?  Does it 
> need to match the range of IP addresses handed out by the 
> DHCP server, or does it need to be something different?  I 

Your right, this is not trivial and self-explained.
The server address and the Remote address range should be in the 
range of your LAN subnet. eg. let's say you have a C class net like
You could then use as the Server address and as the Remote address range for PPTP.
If you use DHCP on LAN, make sure these addresses are outside
the range of your DHCP scoope!
PPTP would then server to the first PPTP client
connecting, .113 to the next and so on, till' all 16 addresses
are used. m0n0wall has a maximum of 16 concurrent PPTP sessions.

> checked the "Require 128-bit encryption box", but I don't see 
> anything (such as on the client side) else about encryption size.
> On the client side, I installed pptp-linux and 
> pptp-php-gtk-setup, which gives me a screen with a set of 
> tabs that, like FreeS/WAN, don't quite seem to match up 
> against the data specified in m0n0wall.  For the Server name, 
> should this be a name that resolves to the m0n0wall wireless 
> port, or a name that resolves to the "Server address" 
> specified in m0n0wall (if that is supposed to be different)?  

I dont know how the pptp-linux client look like, but i assume
that the server address here should be the ip-address of your
wireless card(or the ip-address of your wan interface if connecting
from Internet).

> In the Routing tab, I think I am supposed to select the "All 
> to tunnel" option, but then should I set the Public Network 
> Interface to eth1 (which is how my wireless card shows up), 
> or ppp0 (which gets added by PPTP)?  In the Encryption tab I 
> checked "Require MPPE", but I don't see anything that tells 
> it I always want to use 128 bits.
try without the "Require 128 bits encryption" on m0n0 first,
and move on from there.

> > -Add some firewall rules on wireless interface:
> >	GRE Wireless net * * *				- for VPN
> >	TCP Wireless net * * 1723			- for VPN
> I assume the above two rules allow a wireless client talking 
> PPTP to connect to the PPTP server.  Can I still control the 
> rules for connections coming through PPTP on the wireless 
> interface, or do they necessarily have open access to 
> everything once they come out of the PPTP server on m0n0?
Yes, they are for PPTP connection. Only the WAN interface is
"designed" in m0n0wall to deafult accept PPTP requests and
traffic, so we have to manually add these to the wireless interface.
You will still have to add rules for your PPTP interface,
and these apply to all PPTP connections, so no, they don't have
default access to everything once connected.

> >	UDP * 68 wi-ip 67					- DHCP
> >	UDP * 68 67			- DHCP
> >	UDP wi-ip 67 * 68					- DHCP
> I think your other comments above mean these lines are not needed.

Correct. These are not needed anymore.

> If there are some documents that do a good job of explaining 
> this stuff, I would be happy to go off and read them.  So far 
> I haven't found them.

The features of m0n0wall all rely on well known open source 
projects, and the documentation for these are public. 
But we really need someone to og ahead and start that doc 
project for m0n0wall so all crucial functionality and 
limitations for m0n0wall is explained.
The person(s) who wanted to start the doc project has a whole lot
of mails to read trough from the mailinglist. I hope they do, 
beacuse what m0n0wall really lacks is some documentation.