Topic: Network setup - openvpn

[jvels]

Hi

I have to setuo my network for at SME 7 server there can run openVPN.

Somethnig about my gear:
1. My isp use a Zyxel 2602 router with a dsl modem. Current i forward all port to one IP.
2. My Access point is also router. Current all port from the Zyxel router is forward to it.

My question is. How should i setup my network hardware?

I have self made some senarios:


A: Use the ISP modem/router forward all ports to the SME 7. The access point is only connectet to a hub (but not with the wan/internetport). SME 7 is the "router" and dhcp server and default gateway on the net.

B: Use the ISP modem/router forward all ports to the Linksys router/accesspoint. The access point is firewall (number 2 :-/), and default gateway. SME 7 is dhcp server

C: or some suggestion ?

As i write, it would be nice to access my local network from outsite with openVPN.

Best Regrads
Jesper Vels

[RvLardin]

We uses the "B" configuration by several customers, mainly when they need to have an open Access Point.

First, can't you turn off the 'router' function of your Zyxel, to make it a simple modem ?
=> If not, you can forward all ports to your AP/Router.
On your AP/Router, set up the wifi and forward all ports to the next, the SME that you can either configure in DHCP or fixed IP.

In this way, whatever could be you wifi settings policy, you get a very secure Wifi network (firewall between wifi and local LAN).

After that, you will have to set up a VPN, in order to allows your users when they are under wifi or when they are outside, to gain access to your local network (protected by your SME).
We use OpenVPN that is really stable and permit all protocols (uncluding SIP ...).
There is a choice to make between a "bridge" configuration or not. We use bridge so that vpn'users get an IP inside the SME IP range but that's discutable. Our contrib for OpenVPN (derivated from Swerts Knudsen one) is there :
sme.firewall-services.com

If you get pb, don't hesitate to post here.

A+,
RV.

[jvels]

What mode should SME 7 run as?

server only or gateway?

[RvLardin]

We *allways* use gateway's mode.

[jvels]

Hi

Can you give me a sample what IP's the devices need?

A thing you guide need (as I see) is a littel sample, (something like my sample) where you show, what IP configs are needed.

I have tryed your guide befor, but cound't getting work (mabe because I not have use the right gateway's or IP)

So a littel drawing's with some IP's on would be a greate help I thing

Best Regrads
Jesper Vels

[jonroberts]

Not sure I've understood this correctly, but if it helps we use a similar setup & IPs configured (for example) as:

ADSL Router / Firewall - 10.0.0.1
|
SME 7 WAN IP - 10.0.0.3
|
SME 7 LAN IP - 192.168.0.1
|
Internal LAN - 192.168.0.x

Most ADSL Routers have a DMZ option which can be set to 10.0.0.3 to just forward everything to the SME.

Personally I prefer to configure the firewall in the ADSL router to only allow traffic on ports that I want to use on the SME (& maybe allow all from our IP range for external support) on the basis that, if the security is there we might as well use it.

Jon

[jvels]

ADSL Router - 10.0.0.1 (forward all ports to 10.0.0.3)
|
Acesspoint and Router WAN - 10.0.0.3 (forword all ports to 192.168.1.1)                ----> laptop connectet to wlan - 192.168.1.2
|
SME WAN IP - 192.168.1.1
|
SME LAN - 192.168.0.1
|
Internal LAN - 192.168.0.X

Would this setup work?

My laptop there connect to the network can only use samba etc. when It is connect with openvpn right?

Does SME7 have a web interface to manage the SME router/firewall (port forwarding / open close ports etc. )?

My accesspoint can use radius authentication. When I create a SME7 user, can the user also connect with radius to the wlan?

Best Regrads
Jesper Vels

[jonroberts]

Jesper,

If your Access Point is acting as a router, it should have two network interfaces.  In which case you will need something like:

ADSL Router - 10.0.0.1 (forward all ports to 10.0.0.3)
|
Acesspoint Router WAN IP- 10.0.0.3
|
Acesspoint Router LAN IP 192.168.1.2  (forword all ports to 192.168.1.1) ----> laptop connectet to wlan - 192.168.1.3
|
SME WAN IP - 192.168.1.1

Probably simpler to use it just as an access point, something like:

ADSL Router (assume min 2 ports) - 10.0.0.1 (forward all ports to 10.0.0.3)
|
Acesspoint Router IP- 10.0.0.2  (connected to Lan Port 1 in ADSL router)
|
----> laptop connectet to wlan - 10.0.0.4 (or whatever - I would set the ADSL router to act as DHCP to ease connection)
|
SME WAN IP - 10.0.0.3 (connect to Lan port 2 in ADSL router)
|
SME LAN - 192.168.0.1
|
Internal LAN - 192.168.0.X

Bear in Mind that with this set up, you laptop appears on the Internet side of the SME server, not on the local network (unless you VPN in from the laptop to the SME server).

There are contribs for port opening & forwarding - I'm sure a search of the forums will help you find them

[jvels]

Hello

Is ftp://ftp.firewall-services.com/OpenVPN/

down or??

[jvels]

Hi

Some one there have a idea whats wrong...?
in my logfil I get this:

Code: [Select]



Tue Oct 17 22:44:11 2006 client/10.0.0.10:33752 MULTI: bad source address from client [ff:00:ff:7c:bd:c0], packet dropped



I am just connect for about 10 sec. the the vpn reconnect...

[jvels]

some one there understand what he is saying?

http://openvpn.net/archive/openvpn-users/2005-03/msg00090.html

[jvels]

You can see my log file from the client at:
http://openvpn.se/bb/viewtopic.php?p=2957#2957