News
:
This forum is now permanently frozen.
m0n0wall Forum
>
m0n0wall Support (English)
>
Firewall/NAT
Topic: VPN connection Ipsec behind LAN interface for clients
Pages:
1
[
2
]
Topic: VPN connection Ipsec behind LAN interface for clients (Read 5848 times)
Re: VPN connection Ipsec behind LAN interface for clients
« Reply #15 on: July 25, 2013, 20:20:30 »
Lee Sharp
Posts: 517
You last post is correct. Say you have 123.456.78.128/29 for external, and 129 is your gateway. This gives you 5 IPs, so 4 extras are available. Note, however, that most users will not actually need a real IP. It is usually only when a company has several people in one hotel all trying to VPN in at once.
As for the bandwidth, open up SNMP on the WAN to your own office IP. Install cacti, and monitor the bandwidth of all your hotels. I am just glad they stopped pushing "zero IP config" so hard. That is a mess...
Re: VPN connection Ipsec behind LAN interface for clients
« Reply #16 on: July 25, 2013, 21:11:18 »
dr01
Posts: 79
zero IP is a disaster....but they still all want plug n play for their devices without having to make setting changes to their devices....its crazy...thank you for all your help on this....we have had this VPN issue using Monowall now for over 4 years running and nobody would give a straight answer....I do wish though that the CP HTML code could be written to add at sign in a IP check box for a VPN user that will do all this NAT 1:1 stuff automatic for the guest...
Re: VPN connection Ipsec behind LAN interface for clients
« Reply #17 on: July 25, 2013, 21:29:57 »
dr01
Posts: 79
i am trying to figure out how to instal cacti and it wont let me on my windows based machine...none of the icons in the php files are recognized....any suggestions how to install this on my pc here? thanks
Re: VPN connection Ipsec behind LAN interface for clients
« Reply #18 on: July 25, 2013, 21:38:42 »
Fred Grayson
Posts: 994
Do you have all of cacti's prerequisite dependencies installed? I don't think there will be much argument that Windows is not the best choice for this.
--
Google is your friend and Bob's your uncle.
Re: VPN connection Ipsec behind LAN interface for clients
« Reply #19 on: July 26, 2013, 04:03:08 »
Lee Sharp
Posts: 517
I have never installed it on Windows... But Ubuntu is easy... I use the 12.04 LTS because I hate frequent upgrades.
Use the instructions here...
https://www.digitalocean.com/community/articles/installing-the-cacti-server-monitor-on-ubuntu-12-04-cloud-server
Or here...
http://askubuntu.com/questions/148693/how-do-i-install-cacti
Or here...
https://help.ubuntu.com/community/Cacti
After installing the cacti backports ppa here...
https://launchpad.net/~micahg/+archive/ppa
(The ppa gives you the ability to add plugins like the aggregate graph.)
Re: VPN connection Ipsec behind LAN interface for clients
« Reply #20 on: August 05, 2013, 18:12:18 »
dr01
Posts: 79
Will this run on a windows XP machine? So the VPN issue only solution is to use NAT 1:1 and there is no fix for Monowall software to allow any and all VPN traffic thru a single global IP when behind NAT???
thanks DR01
Re: VPN connection Ipsec behind LAN interface for clients
« Reply #21 on: August 07, 2013, 01:04:10 »
Lee Sharp
Posts: 517
We can not fix other people servers... Let me give you the scenario.
Bob comes in, connects to the net and VPNs to the office. The office sees his internet IP, and goes "Hi, Bob! You are at 123.45.67.89! Good to see you."
Now Ted comes in, connects to the net and VPNs to the office. The office sees his internet IP, and goes "What are you doing, Bob? You are already here..." Click.
How do we fix that?
Re: VPN connection Ipsec behind LAN interface for clients
« Reply #22 on: August 07, 2013, 14:50:57 »
dr01
Posts: 79
I get all that so I guess my question is how does companies like Nomadix and Valuepoint claim they can handle multiple VPN traffic plug and play behind their routers that they claim work in Hotels?
any ideas?
The only Idea I can come up with is using the sign in page captive portal to add a feature or a check box that asks the user if they are going to need a VPN session....then if that box is checked Monowall inside the software would peform a 1:1 NAT for their IP and session and then assign a usable static from the sites ISP pool to them. Then after that session expired the 1:1 NAT info for them would be erased.
Do you think this is possible to add into the monowall software and integrate with the HTML code at CP sign in?
Thanks....
Re: VPN connection Ipsec behind LAN interface for clients
« Reply #23 on: August 09, 2013, 17:22:47 »
Lee Sharp
Posts: 517
That is how nomadix does it. And it could be added to CP, but it would be a lot of work. Essentially you would need another server to go in with wget or curl to add that IP to 1 to 1 nat, and remove it later.
Re: VPN connection Ipsec behind LAN interface for clients
« Reply #24 on: February 07, 2014, 00:37:57 »
dr01
Posts: 79
with the new 1.8.1 firmware is this VPN client issue now fixed so you dont have to perform NAT 1:1 each time for each client? thanks
Re: VPN connection Ipsec behind LAN interface for clients
« Reply #25 on: February 07, 2014, 18:27:44 »
Lee Sharp
Posts: 517
Nope, we have still not fixed other people VPN servers.
However, with the known (and overblown) security issues with PPtP, less companies are using it, and the modern IPsec and SSL based VPNs don't have this limitation.
Re: VPN connection Ipsec behind LAN interface for clients
« Reply #26 on: February 07, 2014, 19:03:20 »
dr01
Posts: 79
thats good news...I only see the Ipsec Cisco based clients systems having issues currently. Others seem to be fine or dont call the help line to report their VPN issues.
Re: VPN connection Ipsec behind LAN interface for clients
« Reply #27 on: February 07, 2014, 19:10:25 »
Lee Sharp
Posts: 517
And that is the old Cisco VPN that is slowly phasing out. It is looking up! Now we just have to hope a bird is not flying directly above us.
Pages:
1
[
2
]