[ previous ] [ next ] [ threads ]
 
 From:  walterpc at mchsi dot com (Walter PC)
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  RE: [m0n0wall] 2nd management login
 Date:  Thu, 15 Jun 2006 03:27:18 +0000
This is exactly why - keep in mind that I am wanting to manage this remotely,
with clients on the inside at a Hotel or Coffee shop for example, many with no
abilities to change their settings when using a corp computer with no admin rights.
We get tons of calls from guests that require public IPs to be able to VPN to
their offices. Some of our existing equipment creates a 1-to-1 NAT and some do
true routing.
M0n0wall is a perfect example of a VPN server that does not play well with
clients that are behind a NAT.  I can access mine from behind a Linksys with
PPTP-passthrough, but at hotels and coffee shops with  anywhere between 50 to
500 concurrent users - PPTP passthrough doesn't really work that well.

As mentioned before, the $$$$ equipment we have all have Plug-N-Play support -
corp user with a laptop setup with static IP on their office network can come in
and still work...as long as they have a default GW programmed in.
This works because the GW replys to all unanswered ARP requests - basically
saying to the client - yes I am that default GW... and then the client's ARP
table shows that MAC with the IP of its default GW.  the internal LAN of the GW
just answers all packets with its MAC, reguardless of IP range.

Maybe Smoothwalls uPnP is different then what I am describing.
granted, we could do without this but it is starting to become a request by
hotel BRAND STANDARDS so they have to have it (IE.. hilton, Holiday Inn, etc..)
and since coffe shops and hotspots use the same hardware - it applies there as well.


> 
> Some VPN clients have issues if they don't have routable IPs...  (Don't
> recall which ones, but we have ran into this problem in the past)
> 
> Paul
> 
> -----Original Message-----
> From: SDamron [mailto:sdamron at gmail dot com] 
> Sent: Wednesday, June 14, 2006 4:03 PM
> To: walterpc at mchsi dot com
> Cc: m0n0wall at lists dot m0n0 dot ch
> Subject: Re: [m0n0wall] 2nd management login
> 
> Okay...This may sound silly...but, why on earth would you ever need a
> box behind a firewall to have a real routable IP address?  Just use
> 1:1 NAT, and be MUCH SAFER!!
> 
> On 6/14/06, Walter PC <walterpc at mchsi dot com> wrote:
> > OK - I feel stupid for not seeing that...
> >
> > question 2 - much more technical.
> > is there or will there ever be uPnP support - like in smoothwall and the
> > previously mentioned $$$$ systems (ie.  192.168.xx IP will still work
> > behind  m0n0 if it has a default GW even if the LAN of m0n0 is
> > 10.71.x.x - can m0n0 inject its MAC address to unanswered GW ARP
> requests?)
> >
> > question 3
> > Will the the m0n0wall route traffic to public IPs behind the server...
> > for example  let say I have an public subnet of 10.0.0.2 - 10.0.0.24
> > (lets assume this is a public routable subnet)and I want to have the
> > ability of users behind m0n0 (10.0.0.2) that may perhaps need a public
> > IP, if I give them a public IP of 10.0.0.4 with the default GW of
> > 10.0.0.1 (ISP device) and the public subnet mask, will m0n0 auto route
> > traffic to them??  Is this possible, If so, how do I make these
> > routables work??
> >
> > Thanks - you guys are always great help -
> > Ken.
> >
> >
> > David Kitchens wrote:
> > > Stay free! LOL M0n0wall will do what you want, under the top category is
> > > User Manager, made for exactly what you want. You can create users and
> > > assign them whatever page you want them to control.
> > >
> > > Dave
> > >
> > >
> > >> -----Original Message-----
> > >> From: Walter PC [mailto:walterpc at mchsi dot com]
> > >> Sent: Wednesday, June 14, 2006 1:21 AM
> > >> To: m0n0wall at lists dot m0n0 dot ch
> > >> Subject: [m0n0wall] 2nd management login
> > >>
> > >> Is there any way to add a 2nd login to the interface that has
> > >> less management options??
> > >> I would like to setup m0n0 so that is remotely accessible for
> > >> management but with a login that support can diagnose and
> > >> assist users on the network, add mac filters, and possibly
> > >> reboot, but not have access to WAN IP settings, PPTP, IPSEC,
> > >> Firewall and other non-essential options (at least
> > >> non-essential for their support purposes).
> > >> Mainly looking to create a Hot-spot GW out of this.
> > >> turning off internal GUI access and setting bandwith
> > >> limitations and captive portal and such...but not all the
> > >> support reps are going to need access to all of the extra
> > >> features, just the techs and installers.
> > >> And of course we would have to have a default config file to
> > >> upload so that the installers don't have to setup all of the
> > >> firewall and settings.
> > >>
> > >> Let me know if this is feasible or if there is another router
> > >> / GW that would work better  - as apposed to purchasing a
> > >> enterprise based GW such as IP3 or Nomadix Ken.
> > >>
> > >> ---------------------------------------------------------------------
> > >> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> > >> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> > >>
> > >>
> > >>
> > >
> > >
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> > > For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> > >
> > >
> > >
> >
> >
> 
> 
> -- 
> -------------------------------
> When all you have is a hammer, everything starts to look like a nail.
> Registered Linux User #409723
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>