I have m0n0wall running with a wireless access point in the way you describe
(VPN), but m0n0wall is not *itself* a WAP. I have a LinkSys 54mbps WAP
connected to OPT1, and it's the only device directly connected to that
interface. It keeps all things wireless completely independent of my wired
> Since WEP and I don't get along very well, and since m0n0wall
> seems to have defeated the common PPTP-can't-access-WAN
> problem, would it be relatively secure to set the wireless
> side as a wide open AP, but restrict access to the LAN/WAN
> and require the user to VPN?
I've gone with a halfway solution. I have no WEP/WPA running on the access
point, but I still have MAC address filtering to prevent unauthorized
clients connecting. I also allow access from the WLAN interface to the 'net
via my Squid proxy (which limits clients to http/ftp on port 80/21
So WLAN clients can access the net without VPNing, but only through Squid
(which means no user running P2P stuff). If I wanted I could use Squid's
delay pools feature to give unauthenticated (i.e. non-VPN) users a highly
restrictive bandwidth allocation.
WLAN clients can authenticate themselves via PPTP, in which case they
receive unrestricted access to the 'net, m0n0wall's other services, and of
course the wired LAN.
> I'm thinking this just might work -- I seem to be able to
> PPTP from the LAN side or the WAN side (which is a HUGE help
> debugging my RADIUS setup, by the way).
It seems to work at this end. My setup isn't quite the same as yours, but
they're pretty similar.
> From the usability side of things, this would be acceptable,
> we only use wireless on our laptops, and our laptops are all
> already capable of VPNing.
If you have unknown/unauthorized clients connecting to your wireless lan,
make sure the laptops have firewalls running on their WLAN interfaces (the
default XP one will do the job). Whether you firewall the VPN connection or
not is a personal decision, I usually don't. But then, I don't run personal
firewalls on each machine in the wired LAN either, since they're all owned
and used by... me.
C.M. Bagnall, Partner, Minotaur
Tel: (07010) 710715 Mobile: (07811) 332969
ICQ: 13350579 AIM: MinotaurUK MSN: minotauruk at hotmail dot com Y!:
This email is made from 100% recycled electrons