Sonicwall TZW questions
From: news.cup.hp.com (thomasDELME_gilgDELME_at_hpDELME.com)
Date: 09/14/04
- Previous message: Thomas Jones: "Hardware firewall that imports peer guardian block list?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 13 Sep 2004 22:17:20 GMT
I'm setting up a Sonicwall SOHO TZW for my wife's company, and the manual is
less than useful. I'm hoping for some help here.
My basic setup is that LAN and WLAN (wireless LAN) users will be able to
access the WAN, per normal looking LAN<->WAN and WLAN<->WAN firewall rules.
Only company PCs are on the LAN, but the WLAN is public and is accessible by
employees and clients to provide internet access.
In order for employees to get onto the LAN from the WLAN (or WAN in the
future), I have established a VPN termination point on the LAN.
Question 1 (a TZW bug?) - I have a TZW VPN client-connection policy that
enables "Use DHCP to obtain Virtual IP for this connection". This allows a
WLAN PC that normally has a 172.16.31.* address to obtain a 192.168.168.*
address from the LAN's 192.168.168.* subnet. If I have some dynamically
allocatable 192.168.168.* addresses on the LAN, the "SonicWall Virtual
Adapter" on the WLAN PC gets a 192.168.168.* IP address just fine. Good. If
I do NOT have any dynamic addresses, but instead only have a statically
allocatable IP based on the SonicWall Virtual Adapter's MAC address, then no
address is allocated. Bad. Unexpected. However, if I have at least 1
dynamically allocatable IP in addition to the static IP, then the static IP
does get properly allocated just fine.
I would prefer allocate only static IPs to in-coming VPN users. This seems
to work, but only if I have at least one dynamic IP available, which seemly
never gets used. Is this a bug in the TZW?
Question 2 - the TZW supports something called "Wireless Guest Services"
(WGS) on the WLAN. When WGS is turned on (and I have at least one WGS
login/password defined), it immediately turns on the WLAN "MAC Filter List".
OK so far. The manual seems to suggest that a wireless PC can connect to the
wireless access point, and upon trying to bring up a web page, will be
challenged by a WGS login web page. If the user can enter a valid WGS
login/password, then their MAC gets registered and they are granted full
WLAN access. Problem - with 2 different wireless PCs (whos MACs are not
pre-registered), I cannot stay connected to the wireless access point, much
less get a valid IP address so that I could bring up a web page and activate
the WGS login/password web page. This seems to be a chicken and egg problem:
I can't get onto the wireless access point so I can enter a login/password,
but I need to enter a login/password to get onto the MAC accept filter list.
I do have an unrelated wireless access point nearby, which is the access
point that the 2 wireless PCs roll over to when they can't get onto the TZW
access point. What am I not understanding here?
Intuitively I could imagine the TZW access point granting a rogue wireless
PC a temporary dynamic IP address (say 172.16.31.1) from a range of dynamic
IP addresses (say 172.16.31.*) that are blocked from all but the WGS login
page (say on 172.16.31.0 : 80). After a wireless PC accesses the WGS page
and a valid login/password is entered, then the access point would roll them
to a new dynamic IP address (say 172.16.32.2) that is managed by the normal
firewall rules. I am guessing that the user would provide any URL (say
www.microsoft.com), but that the temporary dynamic configuration would map
all DNS queries to the WGS loging page.
Thomas Gilg
- Previous message: Thomas Jones: "Hardware firewall that imports peer guardian block list?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
