Another network change already
Work is providing a Sonicwall VPN/Firewall/WAP device for remote access. This complicates my network setup but I like a good challenge. I already have 4 subnets, IPSEC & OpenVPN VPNs and a wireless connection. This will add another IPSEC connection, firewall with NAT, wireless and a couple more subnets.
I plugged it into the DMZ switch first thing since that is a restrictive subnet as far as firewall rules are concerned. I wanted to disable NAT right away but I don’t see any good way to do this with this firmware (or the latest after I loaded it). I did find the NAT one-to-one options and assigned a couple ranges to the wired and wireless ranges respectively. It won’t allow wireless to LAN unless you are encypted so I enabled WPA and setup the Powerbook to connect. I plugged the Dell laptop into one of the LAN ports to test the wired side of this setup. I still have the VPN client on the Powerbook to connect directly so I logged into the main VPN concentrator with that and used the Dell to connect to the local. I had a functional tunnel in less than 5 minutes.
It looks like the detect dead tunnel option is kicking in faster than the heartbeats to keep the tunnel active. That basically means the tunnel isn’t staying up unless I keep traffic running across it. I have to initiate it from the client (home) side so that means I can’t get back to home from work unless I tweak this setting. I wrote a little ping script running in screen on the Dell to test and it seems to keep the tunnel up fine. This 802.11g connection isn’t really doing much better on throughput than my old setup which was just a 802.11b PCMCIA card in a PCI slot running on a system cobbled together out of spare parts. Guess I’ll have to look into this some more.
I also need to put another NIC (or two while I’m at it) into the firewall and move this to its own DMZ so I can lock the firewall rules down with more control. An upside of not running the wireless over OpenVPN is that I don’t have to push the default gateway. That makes external access a lot easier to manage since it reduces the bandwidth going through the home connection.