Topic: 3rd NIC for wireless gateway?

[John Lewis]

Greetings,

I'm running an SME 5.12 in gateway mode.  I'd like to install a 802.11b wireless accesspoint in my network, but given the security issues, would like to install it on a separate network external to the SME gateway to force VPN connectivity to get access to the network and for Internet access.



Internet--------------SME5.12-------------------Internal Network
                            |
                            |
                      Wireless Adaptor

I've read: http://www.e-smith.org/docs/howto/contrib/net_card.html, but this does not indicate what/how to set the firewall to allow VPN access to the internal network, but to deny all other traffic from this network.

Can someone point me in the right direction.  I'll happily create an updated howto.

Thanks.

[Bill Talcott]

Do you want the wireless accesspoint physically separated from the e-smith, or are you trying to install a wireless card as the third NIC in the e-smith but on the external side of it?

If you have a separate AP, you can just split the incoming connection with a switch to the e-smith and to the AP, rather than trying to hack up the e-smith to get another "external" port.

If you want to use PPTP from several clients behind a NATed connection, they won't be able to connect to the same destination IP. See http://forums.contribs.org/index.php?topic=13750.msg52324#msg52324 for more info...

[John Lewis]

Since I only have one IP address for the Internet side of the gateway, I want to use a 3rd network card to create a new network (call it a DMZ) that will only allow VPN connections past the SME firewall/gateway.  This network will have DHCP, but does not need NAT etc.  I don't want it to be a "trusted" network.

Let me draw another picture that will render better:

Internet
Eth1
|
|
|
SME 5.12 - - - - - - - - DMZ Network (Eth2) - - - - Wireless Access Point
|
|
|
Internal Network
Eth0

[Bill Talcott]

You want the wireless network to receive private IPs from the e-smith, and connect through the e-smith's single public IP right? That's what NAT is...

http://www.vicomsoft.com/knowledge/reference/nat.html
"Network Address Translation (NAT) is a method of connecting multiple computers to the Internet (or any other IP network) using one IP address."

You can PPTP from an internal computer. I do for testing quite often... I'm not sure how you would go about configuring it, but I think you could add the wireless adapter as a second internal interface, and block most of the traffic on that network, just enough to allow it to make a PPTP connection, which would give it an address on the main internal network, and all the regular privileges.

Now that I type that out, it sounds like what you originally said, but reworded. =)

I'm not sure on exactly how to do it, but there have been threads about setting up additional internal NICs. Once you get that setup, http://forums.contribs.org/index.php?topic=13306.msg50382#msg50382 might provide some info on how to block anything but PPTP connections from that network...

[Dub Dublin]

I asked the same question several weeks ago and never got an answer.  Of course, putting another interface in is trivial, but e-smith appears to assume that there is only one external interface.  

Multiple "local" or internal interfaces are supported, but no one here has yet coughed up an explanation of how to properly tell e-smith that an arbitrary new interface should be treated as an additional external interface.

****This is probably not that hard - how about it, e-smith old-timers?  What *really* tells the system to treat an interface as external rather than internal?  I suppose I could start by taking apart the rc files on my own, but I wouldn't trust my ability to do this well, since I definitely do not fully understand the e-smith architecture and its configuration scripts system.

BTW:  This needs to be easily supported through the UI in the next rev of e-smith.   Wireless is here to stay.  Since 802.11b is effectively wide open to the world, it makes sense to treat wireless interfaces as external, with connections to the inside via PPTP(proprietary), SWAN/IPSEC(open), or other tunneling methods.  In the spirit of e-smith, this should be made as automagic as possible.

[guestHH]

Hi Dub,

Take a look at this how-to ecspesially to the section adding a second NIC. It is valid for adding more nics.
http://www.star-support.com/downloads/mitel/contrib/Linux-HA/SME%20High%20Availability%20How-To.html

Maybe it gets you going...
Regards,
guestHH

[Bill Talcott]

Dub: I'm barely above a newbie to e-smith and Linux in general, so I may be way off here. When I think external, I'm thinking of whatever the connection is before it gets to the e-smith. Basically the same as sticking a hub before the e-smith. With that, the other interface would be getting its info from the same place the e-smith is (the ISP), not from the e-smith. Obviously this wouldn't work if you only had one public IP.

What I was trying to describe is adding another internal network, and basically declaring it insecure. Set it up to allow only VPN connections from that interface. When it made a VPN connection, it would get an IP from the main (secure) internal network, and LAN privileges now that the connection has been secured via the VPN connection. And since there's no NAT between the VPN clients and the local interface of the e-smith, you shouldn't have a problem with multiple connections.

Am I on to something here, or am I way messed up?

[Dub Dublin]

RequestedDeletion:

Thanks - I knew about your HA FAQ, but wouldn't have thought of looking there for this.  I'll check it out.

Bill:

It seems to me that the semantics of "adding another internal network, and basically declaring it insecure" are equivalent to saying that that additional interface is "external", since today, only the external interface is untrusted.

After all, the only real difference between internal and external is the policy that's applied to them.  Whatever happens, my guess is that you'll probably want a different network (or subnet) on htat interface in order to keep things straight.  This is different than a hub on the external interface, precisely because it would create a different IP network with which to work.

[John Lewis]

That's exactly right.

I started the process by installing a 3 NIC in the server.  

When the server came up, networking had been completely screwed. I could not access the server's internal or external ip addresses from other hosts, nor could I send packets out from either interface.  Ifconfig listed the correct information as well.

After trying to get things to work with the 3rd card in (by reconfiguring the network cards throught the admin/configure screens), I gave up, shut down, removed the card, and voila, the server returned to moving traffic.

Somehow, when installing a 3rd network card, SME changes something...

Not sure how to proceed here.  Guess I will have to create the config files for the eth2 device before I install it...

[Duncan]

I have an interest in this.

I have two e-smith boxes routing traffic accross a couple of zoom 4105 pcmcia wireless cards. Ultimately i will set them up between my office and home as a backbone between the two lans.

I am still considering what to do with respect to security.

The first thing will be WEP. Not really secure but enough to fool the wannabes.
Setting up the additional networks via the user manager also provides some security with respect to firewalling out anything that doesnt come from a specific interface, but again - not really secure enough. The other option would be IPsec between the lans and denying anything else in masq.

Its something i intend on playing around with over the next few weeks.

Regards Duncan

[Bill Talcott]

Dub Dublin wrote:
> It seems to me that the semantics of "adding another internal
> network, and basically declaring it insecure" are equivalent
> to saying that that additional interface is "external", since
> today, only the external interface is untrusted.
>
> After all, the only real difference between internal and
> external is the policy that's applied to them.  Whatever
> happens, my guess is that you'll probably want a different
> network (or subnet) on htat interface in order to keep things
> straight.  This is different than a hub on the external
> interface, precisely because it would create a different IP
> network with which to work.

Ok, we were thinking of the same thing at least. I was thinking "internal" as in downstream from the e-smith, as opposed to "external" and downstream from the cable modem (or whatever) and not a part of the e-smith's LAN. While you'd still be excluding the third NIC from the trusted LAN, I see it as internal simply because it's behind the e-smith. It would have a private IP and everything would be routed through the e-smith, rather than connected directly like the external NIC in the e-smith. Oh well, six of one, half dozen of another.