[nycbug-talk] VPN/Integrated Router Appliances

Hans Zaunere lists at zaunere.com
Wed Oct 18 21:56:26 EDT 2006


Hey Ike, all - thanks all for the feedback.  And thanks Miles for the
scripts/configs.  I'll keep them on hand.

Isaac Levy wrote on Tuesday, October 17, 2006 12:43 PM:
> Hi Hans, All,
> 
> In short, after the lecture I gave on PFSense and m0n0wall, I'd
> SERIOUSLY reccommend you take a look at those packages.
> 
> Either would would likely fit the bill, feel free to ask any
> deployment/setup questions offlist.

Thanks Ike - I have my eye on pfsense actually...

> On Oct 15, 2006, at 8:11 PM, Hans Zaunere wrote:
> 
> > 
> > Hi,
> > 
> > We're looking to deploy a [small] office integrated router to
> > provide the
> > following primary functionality:
> > 
> > -- remote/field user VPN access without having to install VPN
> > clients on
> > their laptops/desktops; most remote users are Windows XP based
> 
> I can't say precisely, as I have little experience with the WinXP
> side, but I believe the PPTP is ideal for Windows XP client VPN's.
> 
>  From the m0n0wall handbook:
> http://doc.m0n0.ch/handbook/pptp-windows.html
> 
> Hope that helps-?

Yeah, that's perfect - would work without mucking with Windows' clients,
etc.  I have to use an SSL-VPN through IE at times, which uses an ActiveX to
intercept traffic.  It's creepy, quite frankly.

> > -- wireless connectivity for the office space; wireless access can
> > be open,
> > but only authorized users should have the benefit of being in the
> > "internal" network - the rest just have generic internet access
> 
> Dude, both m0n0wall and PFSense can be setup to do this in a myriad
> of ways-
> 
> If you say, got a soekris or wrap box with dual mini-PCI slots, you
> could have this setup with a single router.  One wireless network
> could be 'open', with restricted bandwidth throttling, and firewalled
> off so it doesn't pass packets to the internal network.  The other
> wireless card could then be tied directly into the 'internal'
> network, and locked down however you see fit.
> 
> Additionally, both m0n0wall and PFSense have Captive Portal options-
> which is VERY Cool if you want to go that route- (it's just like
> logins at the airport or starbucks).

I've been considering the captive portal route... could probably hack some
things using PHP too, it seems, to give various levels of wireless access.

> > -- wireless connectivity, however, could be provided by a separate
> > device (which is already in place) so it's not critical to be an
> > all in 
> > one product
> 
> If you say, got a soekris/wrap box with just one mini-PCI slot, (like
> the ol' faithful net4801), you could simply put the 'internal' access
> point on that network, and lock it down however you see fit for that
> device- and then use the onboard wireless to run the 'open' AP.

I'll probably go the souped-up soekris.  Which actually brings up another
question.  I've heard some mumblings around about their stability (heat?).
I'm considering a configurations such as:

-- 4gb CompactFlash
-- wireless card
-- attach external switch for local desktops

Anyone has positive/negatives for the net4801 or net4826?

> > -- IP NAT for VPN or generic wireless users
> 
> m0n0wall and PFSense do that with ease.

Nice.  We'll have a small number of VPN users (~5) - any need for the
hardware encryption options?

> > -- internal authoritative DNS server to provide internal server
> > naming for development servers, etc; company internet facing
> > authoritative DNS is handled elsewhere
> 
> m0n0wall and PFSense also have a VERY easy to configure DNS proxy,
> you can do really amazing time-saving things with it.
> 
> > 
> > -- authorized VPN users have access to development servers on local
> > and remote networks
> 
> Ooooh- tricky- just tweak the firewalls once you have the VPN's setup
> and working.

Ok, seems doable...

> > -- authorized VPN users have access to SMB/Windows network routing
> > to a
> > remote/local Samba/Windows file
> 
> ? That's all in the setup.  If your VPN client machines are stable, I
> don't see this as a problem once they're authenticated into the
> network. 

Ok, doesn't seem like a problem.  But I have heard of problems routing
Windows protocols, but they're probably really only a problem on the Linksys
products.

> > Now I realize I could build up a server with the firewall rules,
> > functionality, etc., but I'm really looking towards an out-of-box
> > solution. Some type of pre-configured appliance with HTTPS
> > administration.  I've looked at several different options,
> > including: 
> > 
> > -- wireless integrated routers from vendors such as Linksys, D-
> > Link, etc.,
> > such as the Linksys WRVS4400N or RV016, or the D-Link DFL-CPG31
> > 
> > -- alternative firmwares for above routers
> > 
> > -- combining a BSD installment with a hardware appliance, such as
> > Soekris with m0n0wall
> 
> Did I say m0n0wall and PFSense yet? :)
> 
> > 
> > 
> > Commercial or free solutions are ok, although from what I've seen
> > above, they all seem to fall short in some way, especially in
> > providing a full DNS server for the VPN users.  Any
> > feedback/thoughts/experiences are appreciated. 
> > 
> > H
> 
> m0n0wall and PFSense blow every commercial piece of junk I've touched
> out of the water, and as an important bonus, they're easy to use-
> (e.g. you can train any compitent tech to manage them).

Yeah, I'm starting to prefer pfsense too.  Linksys has some new products out
there that are interesting, but I've heard a lot of issues with them and I'd
rather have BSD watching my network anyway.

Thanks,

H




More information about the talk mailing list