[nycbug-talk] VPN/Integrated Router Appliances

Isaac Levy ike at lesmuug.org
Tue Oct 17 12:42:32 EDT 2006

Hi Hans, All,

In short, after the lecture I gave on PFSense and m0n0wall, I'd  
SERIOUSLY reccommend you take a look at those packages.

Either would would likely fit the bill, feel free to ask any  
deployment/setup questions offlist.

On Oct 15, 2006, at 8:11 PM, Hans Zaunere wrote:

> Hi,
> We're looking to deploy a [small] office integrated router to  
> provide the
> following primary functionality:
> -- remote/field user VPN access without having to install VPN  
> clients on
> their laptops/desktops; most remote users are Windows XP based

I can't say precisely, as I have little experience with the WinXP  
side, but I believe the PPTP is ideal for Windows XP client VPN's.

 From the m0n0wall handbook:

Hope that helps-?

> -- wireless connectivity for the office space; wireless access can  
> be open,
> but only authorized users should have the benefit of being in the  
> "internal"
> network - the rest just have generic internet access

Dude, both m0n0wall and PFSense can be setup to do this in a myriad  
of ways-

If you say, got a soekris or wrap box with dual mini-PCI slots, you  
could have this setup with a single router.  One wireless network  
could be 'open', with restricted bandwidth throttling, and firewalled  
off so it doesn't pass packets to the internal network.  The other  
wireless card could then be tied directly into the 'internal'  
network, and locked down however you see fit.

Additionally, both m0n0wall and PFSense have Captive Portal options-  
which is VERY Cool if you want to go that route- (it's just like  
logins at the airport or starbucks).

> -- wireless connectivity, however, could be provided by a separate  
> device
> (which is already in place) so it's not critical to be an all in  
> one product

If you say, got a soekris/wrap box with just one mini-PCI slot, (like  
the ol' faithful net4801), you could simply put the 'internal' access  
point on that network, and lock it down however you see fit for that  
device- and then use the onboard wireless to run the 'open' AP.

> -- IP NAT for VPN or generic wireless users

m0n0wall and PFSense do that with ease.

> -- internal authoritative DNS server to provide internal server  
> naming for
> development servers, etc; company internet facing authoritative DNS is
> handled elsewhere

m0n0wall and PFSense also have a VERY easy to configure DNS proxy,  
you can do really amazing time-saving things with it.

> -- authorized VPN users have access to development servers on local  
> and
> remote networks

Ooooh- tricky- just tweak the firewalls once you have the VPN's setup  
and working.

> -- authorized VPN users have access to SMB/Windows network routing  
> to a
> remote/local Samba/Windows file

? That's all in the setup.  If your VPN client machines are stable, I  
don't see this as a problem once they're authenticated into the network.

> Now I realize I could build up a server with the firewall rules,
> functionality, etc., but I'm really looking towards an out-of-box  
> solution.
> Some type of pre-configured appliance with HTTPS administration.  I've
> looked at several different options, including:
> -- wireless integrated routers from vendors such as Linksys, D- 
> Link, etc.,
> such as the Linksys WRVS4400N or RV016, or the D-Link DFL-CPG31
> -- alternative firmwares for above routers
> -- combining a BSD installment with a hardware appliance, such as  
> Soekris
> with m0n0wall

Did I say m0n0wall and PFSense yet? :)

> Commercial or free solutions are ok, although from what I've seen  
> above,
> they all seem to fall short in some way, especially in providing a  
> full DNS
> server for the VPN users.  Any feedback/thoughts/experiences are
> appreciated.
> H

m0n0wall and PFSense blow every commercial piece of junk I've touched  
out of the water, and as an important bonus, they're easy to use-  
(e.g. you can train any compitent tech to manage them).


More information about the talk mailing list