On Thu, 26 Aug 2004, Nicolas Bussieres wrote:

> well , why dont you just accept port 443(hhtps) or 80(http) on wan side of
> te firewall(wireless interface) . im doing this for a few special client on
> our wireless network and it works very well . this will allow remote access

HTTP on the WAN is a *really* bad idea.  HTTPS isn't quite so bad, but it
suffers from the "permanent login" problem.  As a temporary method while
fiddling with VPN configs it should be OK, though.

> -----Message d'origine-----
> De : Andy Holyer [mailto:andyh at hhbb dot co dot uk]
> Envoye : jeudi, aout 26, 2004 09:06
> A : 'm0n0wall'
> Objet : [m0n0wall] Advice please: Configuration for wireless-acessible
> Monowall
[...]
> We supply Internet to remote locations beyond the reach of wired DSL,
> using Soekris and Wrap routers and rooftop antennas. We have
> experimented with using Monowall, but suffer from the problem that the
> web interface is blocked to the wireless connection. Since the boxes
> are widely spread over the countryside (and sometimes in inaccessible
> places, such as up poles) we need to be able to remotely administer
> them.
> 
> I've seen some mention of setting up an IPSEC pipe to the box and then
> fetching web pages from that. That has some appeal - I already use
> openVPN to allow our monitor pages to be seen from home or when out in
> the field.

Yes, although you should have an alternate method to use while changing
IPsec configs, since it's so easy to kill it with bad settings.  And for
now, you may be stuck with the tunnel down for the remaining SA lifetime
after one end is rebooted, but that should be fixed in the not-too-distant
future.

					Fred Wright