network design [::] wireless subnet+firewall+vpn

前言:
剛買了手提電腦,家中的無線設備終於有用武之地,設定AP(NOKIA) 用WI-FI WEP連線.完成後出現一些問題,都是與防火墻(Bering & Shorewall)的設置有關--不同subnet間的連線限制所致.後來用VPN撥接,不但解決了其中問題,亦意外地發現利用這種方式,可以實現一些想了很久的存取管理.證明了OpenSource的力量.

系統環境:(亦即是現在家中的網絡,但免日後有混淆,還是說明一下.)
核心是一部Pentium100建成的防火墻及ADSL寛頻路由器(機名firewall),有多個網卡,用意為建立不同的子網(subnet),以實現不同的需求和管理.使用C 類私有IP::192.168.x.x/24; 分別為192.168.0.0/24(名為loc)和192.168.1.0/24(名為wlan). subnet 0 有部實驗用的Debian Linux Server(機名debsrv), ip:192.168.1.253/24 運行服務有ssh, dns (解析本地域,一個私有自設名為lab.的域), apache web server(兩個virturl host: www.debsrv.lab 和 mail.debsrv.lab)以及其它一些服務,詳細設定略去. subnet 0 還有一部windows xp 的機(winxpc), 有數個文件共享. 而Subnet 1 則為接有一部無線AP. 供無線網絡客戶接入.整個系統的IP及網絡設定由firewall負責.同時作為dns forwader接Internet和lab. 域的Secondary DNS (均由DNSMasq實現).

對wlan中的電腦的網絡連線管理,可以由firewall 依 IP來管理,但對於像無線網絡這種存在風險的環境,若一視同仁地開放網絡是不智.若要讓個別user能存取又不影響安全性, 又不會影響一般用戶,VPN可以提供合宜的方案.以本例,在wlan的電腦可以使用Internet,對於在loc的提供的服務則不開放,但容許個別用戶使用.

首先為wlan用戶提供基本上網服務,這包括對Internet DNS查詢, 對firewall的ssh連線. 網絡設置由DHCP提供.
DNSMasq 完成對兩個subnet提供DHCP和dns 查詢緩存功能.會根據客戶所在subnet而提供合適IP設置如下:
Windows IP Configuration
Host Name . . . . . . . . . . . . : D2N2L2BX
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : lab

Ethernet adapter Wireless Network Connection:
Connection-specific DNS Suffix . : lab
Description . . . . . . . . . . . : Intel(R) PRO/Wireless 2200BG Network Connection
Physical Address. . . . . . . . . : 00-16-6F-71-6F-93
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.1.200
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.254
DHCP Server . . . . . . . . . . . : 192.168.1.254
DNS Servers . . . . . . . . . . . : 192.168.0.253 192.168.0.254

Lease Obtained. . . . . . . . . . : Sunday, May 07, 2006 3:09:35 PM
Lease Expires . . . . . . . . . . : Monday, May 08, 2006 3:09:35 AM
特別注意是default gateway 及 dns server, 1.254和0.254都是firewall的兩個網卡ip, 而0.253則是lab域的Primary DNS.

Shorewall 提供firewall iptable 管理和設定.
/etc/shorewall/interfaces
#ZONE INTERFACE BROADCAST OPTIONS
#net eth0 detect dhcp,routefilter,norfc1918
net ppp0 -
wlan eth1 detect
loc eth0 detect
loc ppp+
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

/etc/shorewall/zones
#ZONE DISPLAY COMMENTS
net Net Internet
loc Local Local networks
wlan Wireless Wireless networks
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

/etc/shorewall/policy
#SOURCE DEST POLICY LOG LIMIT:BURST
# LEVEL
loc net ACCEPT
wlan net ACCEPT
net all DROP ULOG
fw loc ACCEPT
fw wlan ACCEPT
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

/etc/shorewall/rules
因設定檔太長,相關扼述如下:
allow loc -> fw tcp22 udp53 udp67,68 tcp80
allow wlan -> fw tcp22 udp53 udp67,68 tcp80
ssh/22 dns/53 dhcp/67,68 weblet/80
allow loc -> fw tcp47,1723
allow wlan ->fw tcp47,1723
VPN pptpd/47,1723

由interfaces, ppp0為adsl接入Internet的介面卡, 而ppp+ 則視為與loc在同一個子網的介面卡,據測試,ppp+不包括ppp0.在vpn 連接時, server會建立ppp虛擬介面卡,若此時不存在ppp0則會使用了ppp0,將該vpn 連接視為net zone 限制連入loc.而使用ppp1則不會.

/etc/pptpd.conf
localip 192.168.0.254
remoteip 192.168.0.100-110

/etc/ppp/chap-secrets
# Secrets for authentication using CHAP
# client server secret IP addresses
username pptpd "vpnpassword" *

設置後,在wlan的用戶,可連上Internet,(無線網則先建立無線連接),正常使用各類Internet服務,但對於在loc的所有訪問則禁止,此時,個別用戶若要連入loc,則先進行VPN 連線,成為loc的一部份,wlan 電腦取得ip 設置如下:
PPP adapter 254:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
Physical Address. . . . . . . . . : 00-53-45-00-00-00
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.0.100
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . : 192.168.0.100
此時,該機就可以使用在loc中debsrv 的DNS services 找www.debsrv.lab 和 mail.debsrv.lab 以及 winxpc 中網上鄰居的共享. 同時亦可連上Internet.

以下是VPN 連線前後wlan中電腦網絡狀態一些比較:
連接前:
netstat -nr
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 16 6f 71 6f 93 ...... Intel(R) PRO/Wireless 2200BG Network Connection - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.254 192.168.1.200 30
65.54.179.192 255.255.255.255 192.168.1.254 192.168.1.200 30
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.200 192.168.1.200 30
192.168.1.200 255.255.255.255 127.0.0.1 127.0.0.1 30
192.168.1.255 255.255.255.255 192.168.1.200 192.168.1.200 30
207.46.219.62 255.255.255.255 192.168.1.254 192.168.1.200 30
224.0.0.0 240.0.0.0 192.168.1.200 192.168.1.200 30
255.255.255.255 255.255.255.255 192.168.1.200 192.168.1.200 1
Default Gateway: 192.168.1.254
===========================================================================
Persistent Routes:
None


tracert www.google.com
Tracing route to www.l.google.com [66.249.89.99]

over a maximum of 30 hops:
1 3 ms 3 ms 3 ms 192.168.1.254
2 17 ms 16 ms 16 ms nrp28.macau.ctm.net [202.175.100.28]
3 18 ms 17 ms 19 ms v601a.macau.ctm.net [202.175.95.61]
4 19 ms 19 ms 16 ms gw3-192.macau.ctm.net [202.175.26.203]
5 24 ms 22 ms 24 ms pr3-pos1.macau.ctm.net [202.175.1.42]
6 38 ms 40 ms 42 ms rs1.hkix.net [202.40.161.1]
7 38 ms 43 ms 38 ms 192.168.168.34
8 28 ms 31 ms 28 ms google2-RGE.hkix.net [218.100.16.24]
9 93 ms 97 ms 96 ms 72.14.236.228
10 100 ms 110 ms 101 ms 72.14.236.208
11 105 ms 104 ms 97 ms 66.249.89.99
Trace complete.


VPN連線後:
PPP adapter 254:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
Physical Address. . . . . . . . . : 00-53-45-00-00-00
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.0.100
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . : 192.168.0.100

netstat -nr
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 16 6f 71 6f 93 ...... Intel(R) PRO/Wireless 2200BG Network Connection - Packet Scheduler Miniport
0xe0004 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.0.100 192.168.0.100 1
0.0.0.0 0.0.0.0 192.168.1.254 192.168.1.200 31
65.54.179.192 255.255.255.255 192.168.1.254 192.168.1.200 30
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.0.100 255.255.255.255 127.0.0.1 127.0.0.1 50
192.168.0.255 255.255.255.255 192.168.0.100 192.168.0.100 50
192.168.1.0 255.255.255.0 192.168.1.200 192.168.1.200 30
192.168.1.200 255.255.255.255 127.0.0.1 127.0.0.1 30
192.168.1.254 255.255.255.255 192.168.1.200 192.168.1.200 30
192.168.1.255 255.255.255.255 192.168.1.200 192.168.1.200 30
207.46.219.62 255.255.255.255 192.168.1.254 192.168.1.200 30
224.0.0.0 240.0.0.0 192.168.1.200 192.168.1.200 30
224.0.0.0 240.0.0.0 192.168.0.100 192.168.0.100 1
255.255.255.255 255.255.255.255 192.168.0.100 192.168.0.100 1
255.255.255.255 255.255.255.255 192.168.1.200 192.168.1.200 1
Default Gateway: 192.168.0.100
===========================================================================
Persistent Routes:
None

Route Table

tracert www.google.com
Tracing route to www.l.google.com [66.249.89.99]
over a maximum of 30 hops:
1 5 ms 5 ms 5 ms 192.168.0.254
2 20 ms 20 ms 19 ms nrp28.macau.ctm.net [202.175.100.28]
3 19 ms 19 ms 20 ms v601a.macau.ctm.net [202.175.95.61]
4 19 ms 19 ms 19 ms gw3-192.macau.ctm.net [202.175.26.203]
5 25 ms 23 ms 23 ms 202.175.1.42
6 24 ms 28 ms 24 ms rs1.hkix.net [202.40.161.1]
7 27 ms 30 ms 26 ms 192.168.168.34
8 33 ms 29 ms 32 ms google2-RGE.hkix.net [218.100.16.24]
9 97 ms 100 ms 98 ms 72.14.236.228
10 111 ms 102 ms 106 ms 72.14.236.208
11 182 ms 143 ms 99 ms 66.249.89.99

Trace complete.

P.S 存在VPN連線時,暫時發現會造成msn不能連線; 本blog 編輯時不能save as draft, 而一般網頁瀏覽則未發現有問題.