[nycbug-talk] VPN/Integrated Router Appliances
Isaac Levy
ike at lesmuug.org
Tue Oct 17 12:42:32 EDT 2006
Hi Hans, All,
In short, after the lecture I gave on PFSense and m0n0wall, I'd
SERIOUSLY reccommend you take a look at those packages.
Either would would likely fit the bill, feel free to ask any
deployment/setup questions offlist.
On Oct 15, 2006, at 8:11 PM, Hans Zaunere wrote:
>
> Hi,
>
> We're looking to deploy a [small] office integrated router to
> provide the
> following primary functionality:
>
> -- remote/field user VPN access without having to install VPN
> clients on
> their laptops/desktops; most remote users are Windows XP based
I can't say precisely, as I have little experience with the WinXP
side, but I believe the PPTP is ideal for Windows XP client VPN's.
From the m0n0wall handbook:
http://doc.m0n0.ch/handbook/pptp-windows.html
Hope that helps-?
>
> -- wireless connectivity for the office space; wireless access can
> be open,
> but only authorized users should have the benefit of being in the
> "internal"
> network - the rest just have generic internet access
Dude, both m0n0wall and PFSense can be setup to do this in a myriad
of ways-
If you say, got a soekris or wrap box with dual mini-PCI slots, you
could have this setup with a single router. One wireless network
could be 'open', with restricted bandwidth throttling, and firewalled
off so it doesn't pass packets to the internal network. The other
wireless card could then be tied directly into the 'internal'
network, and locked down however you see fit.
Additionally, both m0n0wall and PFSense have Captive Portal options-
which is VERY Cool if you want to go that route- (it's just like
logins at the airport or starbucks).
>
> -- wireless connectivity, however, could be provided by a separate
> device
> (which is already in place) so it's not critical to be an all in
> one product
If you say, got a soekris/wrap box with just one mini-PCI slot, (like
the ol' faithful net4801), you could simply put the 'internal' access
point on that network, and lock it down however you see fit for that
device- and then use the onboard wireless to run the 'open' AP.
>
> -- IP NAT for VPN or generic wireless users
m0n0wall and PFSense do that with ease.
>
> -- internal authoritative DNS server to provide internal server
> naming for
> development servers, etc; company internet facing authoritative DNS is
> handled elsewhere
m0n0wall and PFSense also have a VERY easy to configure DNS proxy,
you can do really amazing time-saving things with it.
>
> -- authorized VPN users have access to development servers on local
> and
> remote networks
Ooooh- tricky- just tweak the firewalls once you have the VPN's setup
and working.
>
> -- authorized VPN users have access to SMB/Windows network routing
> to a
> remote/local Samba/Windows file
? That's all in the setup. If your VPN client machines are stable, I
don't see this as a problem once they're authenticated into the network.
>
>
> Now I realize I could build up a server with the firewall rules,
> functionality, etc., but I'm really looking towards an out-of-box
> solution.
> Some type of pre-configured appliance with HTTPS administration. I've
> looked at several different options, including:
>
> -- wireless integrated routers from vendors such as Linksys, D-
> Link, etc.,
> such as the Linksys WRVS4400N or RV016, or the D-Link DFL-CPG31
>
> -- alternative firmwares for above routers
>
> -- combining a BSD installment with a hardware appliance, such as
> Soekris
> with m0n0wall
Did I say m0n0wall and PFSense yet? :)
>
>
> Commercial or free solutions are ok, although from what I've seen
> above,
> they all seem to fall short in some way, especially in providing a
> full DNS
> server for the VPN users. Any feedback/thoughts/experiences are
> appreciated.
>
> H
m0n0wall and PFSense blow every commercial piece of junk I've touched
out of the water, and as an important bonus, they're easy to use-
(e.g. you can train any compitent tech to manage them).
Rocket-
.ike
More information about the talk
mailing list