[ previous ] [ next ] [ threads ]
 From:  Lee Sharp <leesharp at hal dash pc dot org>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Remote access
 Date:  Sun, 26 Aug 2007 13:21:00 -0500
Bob Young wrote:

> It's been a long time since I responded to the list here.  I'm trying to
> respond to your "Remote Access" post of June 11, 2007.  I hope my post here
> appends to that post.  I'm hoping by me putting in the exact Subject name,
> that it will append.

Nope.  But we can follow it.

> I have also been trying to set up remote access  on my M0n0wall, using
> Dyndns like you do.
> I have the client in my M0n0wall set up.  And I have my Dyndns account set
> up.
> The thing that held me back was I didn't know how to open up the firewall in
> a relatively secure way, so I could remote in.

This is a judgment call.  I figure ssl with a strong password is enough. 
  Some do not.

> I assume you set rules up only in the  Firewall: Rules: WAN  section?  I
> wasn't sure if I needed to set something up in the  Firewall:NAT: Inbound
> section.

NAT is to transverse the firewall.  Not to reach it.  No need.

> Is there a reason you used port 443 to remote in on?  I think I heard saw
> somewhere where port 443 is used to remote into sometimes.  But from what
> you are saying, I don't have to use port 443.  Does it matter which port I
> pick?  Any ports I should stay away from?  If I don't specify a particular
> port, won't it come in on port 80?  Is that bad?

Port 443 is the default https.  You can use any port you wish.  It is 
configurable in the firewall.  Just remember what port you chose.

> Assuming I am lucky enough to be able to remote into my M0n0wall, will I
> also be able to remote into my access point, which is connected to my
> M0n0wall?  And to the CPE, which is wirelessly connected to my AP?  Or does
> Dyndns only allow me to remote into my M0n0wall, and nothing else on the LAN
> side of my M0n0wall?

For this you can either use NAT, or VPN to reach the APs.  Since I 
remotely monitor my APs I inbound NAT each one to an unusual port. 
Strong passwords again.  When you set up your inbound NAT, make sure 
your check "Auto add firewall rule" to finish it off.  I also have NAT 
to my ssh ports.  However, I leave the firewall rule off until I need 
it.  To much port scanning for ssh.