Peter Allgeyer wrote:
>BTW: Is an "Ethernet tunnel" a useful scenario on a gateway?
That's really a good question... I would have no use for it, but I
suppose it's reasonable for someone to want to route NetBIOS/BEUI or
IPX, although I can't imagine how well that would fare. It's definately
possible to have trusts between windows domains on two IP blocks, but I
guess that NetBIOS over TCP would take care of that... I guess that
that's the kind of thing that should be a hidden option; most people
have no need for it, but some may. Also, it may be usefull for VLANs.
>Still the experienced admins want to have as much
>features as possible to configure through the GUI.
I agree, and I don't think that they shouldn't... My point is that the
VPN should interact with different systems in different ways depending
on how it's set up... I think that it's easier on everyone if there are
certain distinct modes of operation, based on how the systems interact
with eachother. Perhaps there should be hidden *_adv.php for experts,
rather than forcing them to edit the config file and reboot the
firewall... and perhaps if they use it, they should be precluded from
editing a given connection the normal way. That way, they can choose
what system does what, and know that they're taking a risk of breaking
something if they're not carefull. It would have one of those red 'This
page is not supported...' pages.
Another note: if OpenVPN depends on the DHCP server or something else,
that configuration should be tied to OpenVPN, so when one thing changes,
so does the other... This goes back to my prior complaint about NAT
rules not being tied to their firewall rules. If you kill a VPN server,
it's DHCP and bridging rules should die also, etc.
Sorry if that wasn't entirely coherent, I haven't really slept lately.