Evan, In our setup - we have a vpn server running on a windows machine (windows server 2000 - you don't say if you are running a "windows server" OS or not). All I had to do was enable the VPN service on the windows server, make sure user accounts had rights to it, and tell people to make a new network connection (VPN) and enter our public IP. After I port forwarded 1723 to the server - connections were pretty much seamless. I still have some problems with DNS for local hostnames, but IP addresses work without issue.
That approach (or a similar one) will let you verify if things will work over a VPN tunnel, and the only thing you need to do to the smoothwall box is forward a port. You don't need to learn how to get a VPN server running with smoothwall right away. I will eventually be moving our VPN server to a Linux or BSD based firewall at the border because I would rather drop unwanted traffic there instead of propagating it across the LAN, not to mention I don't like direct connections to our internal server (even before considering the fact that it's a windows box). There might also be another benefit in using a VPN connection: You don't need to expose sourcesafe to unsolicited internet traffic on the forwarded port. I'm not familiar with sourcesafe but, IMO, the VPN server code is probably going to be more thoroughly reviewed for security holes and, being more widely used, security holes will be identified and fixed more quickly than a less mainstream package. Regards, Dana Harding ----- Original Message ----- From: "Evan Brown" <[EMAIL PROTECTED]> To: "CLUG General" <[email protected]> Sent: Wednesday, September 20, 2006 3:28 PM Subject: Re: [clug-talk] Smoothwall firewall >I was just wondering about that myself, I haven't done any VPN'ing > myself ever and I would have to look at it but I know that smoothwall > has the capability. That may be the easiest thing to do or hardest...:) > I will definately look into that thanx for the idea. > > Evan >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Why not use a VPN? This way the client always uses the internal IP? >> >> Just a thought. >> >> Cheers, >> >> >> Evan Brown wrote: >> >>> There is no orange zone, we have 1 windows server that handles dhcp, >>> source safe ( source code control ) and dev databases. When we are all >>> in the office this isn't a big deal but when we have to go out of the >>> province or whatever to install software or whatever we have to use >>> source offsite which interacts with our source safe install. Before we >>> can go offsite you have to do a get on all the source you will be >>> working on thru source offsite because we've discovered that it causes >>> problems if we use source safe's client and just try to switch to source >>> offsite's client. They play together but they don't like to be swapped >>> around. Source offsite was originally registered to a certain ip and it >>> uses that to create some ID that is used when it locks code for check >>> out or whatever. If we check things out locally with offsite and hit the >>> server from 192.168.xxx.xxx then the ID is different when we hit it from >>> the red zone 205.xxx.xxx.xxx sooo we need to be able to hit that red >>> zone ip from the green to get around these problems. I know next to >>> nothing about configuring iptables and need a fairly hand holding >>> experiance. I've been cruising around the forum form smoothwall and >>> google and I came up with that example but I'm not sure about it does or >>> where in the file I insert it. >>> >>> Evan >>> >>> >>>> -----BEGIN PGP SIGNED MESSAGE----- >>>> Hash: SHA1 >>>> >>>> Its funny I am having the same issue with one of my clients (only they >>>> have an expensive Sonicwall appliance). The solution for them was to >>>> have a host entry on the proxy server point to the internal IP, which >>>> worked fine as theirs was a web app. >>>> >>>> For you, the iptables code below looks like it might work, but iptables >>>> can mangle the packets which may still break your application (if >>>> there >>>> is some sort of encryption or authentication key, NAT may be of no >>>> help), I would need more information about your specific needs to be >>>> able to help. Do you have an Orange (DMZ) network set up? This might >>>> not be a bad approach, if this app resides in the DMZ, then everyone >>>> sees the same IP. Actually this is the point of a DMZ. >>>> >>>> On another, mostly unrelated note, I have been impressed with pfsense >>>> (http://www.pfsense.org) a fork of MoNoWall, but pf is a different >>>> beast >>>> from iptables altogether (it is the BSD equivalent to netfilter aka >>>> iptables). >>>> >>>> Evan Brown wrote: >>>> >>>> >>>>> I found this on the smoothwall site in the forums and since I know >>>>> nothing about iptables, does this look like it will work? >>>>> >>>>> /Hi, i download and install Smoothwall 2 Express , only test the >>>>> smooth. >>>>> with >>>>> a green and orange configuration ISDN and DSL is disable , via web >>>>> administration put forwardings from GREEN to ORANGE zone and these >>>>> rules >>>>> not working , via ssh execute iptables -t nat -L and i dont view my >>>>> rule.... but if i edit >>>>> the rc.firewall.up and put manually the rules >>>>> >>>>> "/sbin/iptables -t nat -A PREROUTING -p tcp -i $GREEN_DEV -d >>>>> 10.1.1.229 >>>>> --dport 23 -j DNAT --to 192.168.77.2:23 " >>>>> "/sbin/iptables -A FORWARD -p tcp -i $ORANGE_DEV -d >>>>> 192.168.77.2 --dport >>>>> 23 -j ACCEPT" >>>>> >>>>> /Evan >>>>> >>>>> the forward work and when execute iptables -t nat -L i view my rule, >>>>> and >>>>> Then >>>>> >>>>> >>>>>> Thats the nature of the beast. I've seen this happen on a number of >>>>>> systems, including mine -- m0n0wall. >>>>>> I don't think IPCop has this flaw though. >>>>>> >>>>>> AFAIK, there is no way around it; of course, I could just be blowing >>>>>> smoke. >>>>>> >>>>>> Out of curiosity, why can't you just use the local IP? Why do you >>>>>> need >>>>>> to use the remote one? >>>>>> >>>>>> On 9/20/06, *Evan Brown* < [EMAIL PROTECTED] >>>>>> <mailto:[EMAIL PROTECTED]>> wrote: >>>>>> >>>>>> Hi >>>>>> >>>>>> I'm not sure if anyone is experienced with the Smoothwall fire >>>>>> wall but >>>>>> I have one setup and running well although I have a small problem >>>>>> from a >>>>>> usability stand point. I need to connect from my green zone to >>>>>> the red >>>>>> zone using the red zone IP address. We are currently port >>>>>> forwarding >>>>>> from red to green and that works fine outside of the lan but when >>>>>> we on >>>>>> the lan we can't hit the red zone ip. Any help would be >>>>>> appreciated. >>>>>> >>>>>> Evan Brown >>>>>> >>>>>> > > > _______________________________________________ > clug-talk mailing list > [email protected] > http://clug.ca/mailman/listinfo/clug-talk_clug.ca > Mailing List Guidelines (http://clug.ca/ml_guidelines.php) > **Please remove these lines when replying _______________________________________________ clug-talk mailing list [email protected] http://clug.ca/mailman/listinfo/clug-talk_clug.ca Mailing List Guidelines (http://clug.ca/ml_guidelines.php) **Please remove these lines when replying
