[ previous ] [ next ] [ threads ]
 From:  "Chris Bagnall" <m0n0wall at minotaur dot cc>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] Odd kind of setup?
 Date:  Mon, 26 Jul 2004 19:21:50 +0100
> I am about to build a separate network for our viristors and 
> guests. From this Visitor network our guests should get 
> Internet access but no access to our company resources.
> On this network I connect the Monowall LAN interface, enables 
> DHCP and DNS forwarding. I will also use the Captive portal 
> function, forcing them to log on first.

At home I run a separate interface for wireless clients and "untrusted"
wired clients (mainly my sister and her boyfriend's laptops when they come
to stay ;-) ).

I have rules on the OPT1 interface as follows:

1)Block TCP/UDP ports 135,137-139,445
to block NetBIOS without filling the firewall logs with broadcast requests

2) Allow ICMP to the router (so clients can make sure the gateway is up)
3) Allow UDP port 53 to the router (for DNS forwarder)
4) Allow TCP port 1723 to the router (for authenticated PPTP clients - i.e.
my laptop connected wirelessly)
5) Allow TCP port 3128 to a box in the LAN (Squid proxy)

By forcing all unauthenticated clients via a Squid proxy means they're kinda
limited to HTTP/FTP access, and not any filesharing stuff. If you're
bothered about bandwidth usage, you could use Squid's delay pools to really
cut down "guest" users' bandwidth.

I tend to use the captive portal on this interface with MAC passthrough for
any clients I expect to login via PPTP (my laptop).

I'm sure you could expand something like this to your much larger network,
possibly even using Squid's transparent proxying facilities...


C.M. Bagnall, Partner, Minotaur
Tel: 07010 710715   Mobile: 07811 332969
ICQ: 13350579   MSN: minotauruk at hotmail dot com   AIM: MinotaurUK   Y!:
This email is made from 100% recycled electrons.