[olug] Home network, firewall, vpn design..

Ken emptymm at cox.net
Wed Feb 18 01:36:48 UTC 2004 

Ken wrote:
[snip]
> 
> Cable Modem / Internet (Cox)
>         |
>         |
> OpenBSD (P100,32MB) - pf, nat/dhcp
>         |   
>         |
> Linksys Switch 8 port -----------------
>         |                             |
>         |                Compaq Switch/Router 4port + 802.11b
>         |                             (dhcp disabled)
>         |                             |
>         |-- Linux (P3,750MHz,192MB)   |-- Laptop (WinXP, wifi)
>         |       * VPN, FreeS/WAN?     |-- iPAQ PocketPC (wifi)
>         |       * Samba print & file
>         |       * Internal DNS
>         |       * Log collection (from firewall)
>         |       * IDS?
>         |
>         |--Linux Desktop
>         |--Linux / WinXP Pro Desktop
>         |--Linux / WinXP Pro Desktop
> 

First off, thanks for all the great responses.  I appreciate the 
insights..  Unfortunately I'd rather make the mortgage payment than pick 
up the Cisco solutions that were mentioned :)

My primary objective with the OpenBSD firewall was to be "cheap & 
secure" and make use of the P100.  Obviously the P100 would make a 
pretty crappy VPN server so I had wanted to use the resources on the 
internal Linux server for that without directly exposing it to the 
internet.

After reading Phil's feedback about NAT though it does seem like this 
would be a pain and would seem to require a NAT patch for both the 
FreeSwan server and the client (uhg)..

So, in light of that I have one other idea..  I've been doing some 
reading on using OpenBSD/pf as a Transparent Packet Filter with no NAT 
or IP address: http://ezine.daemonnews.org/200207/transpfobsd.html

Using this method it would appear that I could run the VPN on the Linux 
server using the configuration below and still enjoy the increased 
security of not directly exposing my Linux server to the internet (aside 
from the VPN service) or the pain of dealing with NAT VPN pass through:


Cable Modem / Internet (Cox)
         |
         |
-------------------
OpenBSD (P100,32MB) - 2 NICs - pf
   *Transparent filter, no ip address
-------------------
         |
         |
--------------------
        External NIC - VPN (FreeS/WAN)
         |
  Linux (P3,750MHz,192MB) - 2 NICs
         |
        Internal NIC - * NAT/dhcp
--------------------  * Samba print & file
         |             * Internal DNS
         |             * Log collection (from firewall)
         |             * IDS?
         |
Linksys Switch 8 port -------------------
         |                               |
         |                Compaq Switch/Router 4port + 802.11b
         |                             (dhcp disabled)
         |-Linux Desktop                |
         |-Linux / WinXP Pro Desktop    |-- Laptop (WinXP, wifi)
         |-Linux / WinXP Pro Desktop    |-- iPAQ PocketPC (wifi)

So, trying again, does anyone have any thoughts on this?  I've never 
tried running a transparent packet filter but have to admit it seem 
rather enticing (and cool).  I'd be especially curious to know if anyone 
could still see a potential conflict with the VPN..

Thanks again,
Ken

More information about the OLUG mailing list