Dustin Puryear <[EMAIL PROTECTED]> writes: > Okay, so I want to setup a few wireless users. So even 128-bit WEP is > just plain broken, right? That is what I was left thinking last time I > looked into this, but I want to make sure. > > Here is the solution that I am looking at using: > > Internet <-------------------------| > | > wireless | > users <---> wireless AP <----> (ext) firewall (int) <---> VPN gateway > <---> > network > > Each user has VPN software and connects to the VPN gateway and through > the VPN into the internal network.
yep. you just have to write your firewall rules to only allow your VPN gateway traffic. I use a similar architecture, but my VPN gateway and firewall are the same box. nolug.org has a detailed article I wrote on how I'm doing it. The firewall rules may be helpful to you, they're for OpenBSD but you should be able to translate them to whatever you're using. Just make sure that whatever you're using understands and can filter AH and ESP packet traffic (assuming you're using IPSEC). -- Scott Harney<[EMAIL PROTECTED]> "...and one script to rule them all." gpg key fingerprint=7125 0BD3 8EC4 08D7 321D CEE9 F024 7DA6 0BC7 94E5
