Forward Proxy to Gateway of WLAN Accesspoint - networking

In our network a proxy server is used to give all the clients, which are all Windows XP computers, access to the internet. Now, we want setup a Wireless LAN to allow people to connect their own mobile phones, computers, etc. to the internet. However if we simply connect a wireless access point to our network everyone has to configure the proxy server on their devices.
What can I do, that the WLAN router can act as a gateway to the internet using the proxy server?

You can NAT all the traffic destined to port 80 to a proxy machine. This is a so called forced or intercepting proxy.
For example, if you have a RouterOS router, you would simply add a rule
/ip firewall nat add action=dst-nat chain=dstnat disabled=no dst-port=80 protocol=tcp to-addresses=<proxy IP address>
If you proxy other protocols apart from HTTP, you would do the same for them changing the port.
Many proxy solutions can run in intercepting mode (such that you have a machine with two network interfaces that filter all the traffic that is coming through). See this tutorial for setting it up with Squid.
Otherwise, if you already have a proxy server you can use the solution above by placing a router or a server running the routing software between the access point and your network, for example Vyatta or Mikrotik RouterOS (commercial but pretty powerful), some open-source/freeware router/firewall distribution (pfSense, Openwall, m0n0wall, ...) or even a vanilla OpenBSD (with pf firewall) / Linux (with iptables) to achieve the desired effect.
Once you get the straight through routing in place it should be pretty straightforward to setup proxy NAT asnoted above.
You should consider applying this setting on the router that your access-point connects to for it may save you the trouble of setting up a new machine.

Related

VPN server and client (possibly) on the same machine

What I'm trying to achieve is:
Connect to a VPN as client and route all my internal network's traffic over the VPN.
Run a VPN server, so that people from outside can connect to my internal network and get routed over the a.m. VPN client.
I'm trying to achieve that with a router running dd-wrt (netgear D6200), and / or a raspberry pi.
Can someone tell me if this can be achieved, and if, direct me to what would be a possible solution?
(I'm not looking for a tutorial, just a direction)
Thanks!
This thread probably does not belong here.
Consider using OpenWRT instead of dd-wrt. OpenWRT gives you a usable build system and easier to customize and build. I am not advocating OpenWRT. This can be a stop gap measure.
You can setup a OpenVPN server and OpenVPN client using the standard
documentation available on OpenWRT Wiki and also OpenVPN site.
Add to OpenVPN server.conf the following directive redirect-gateway def1. This will push the default gateway to clients connecting to OpenVPN server. Further, make sure you are using a unique network IP pool for VPN clients and does not clash with the remove VPN server.
Make sure you are masquerading the VPN traffic (Clients of local VPN server) before forwarding to remove VPN server. This can be tricky as this interface does not exist at boot time. It needs to be configured using up and down scripts
Make sure you are allowing traffic (clients of local VPN Server) on VPN interface to be forwarded in your firewall rules
Before setting up the OpenVPN server, make sure
The remove VPN server is pushing the default gateway to your VPN
client
You have setup the firewall correctly
You are able to reach the cloud through the Remote VPN Server. Checking with some site like www.whatismyip.com will help
Yes this is possible with dd-wrt on Netgear.
There is no need of Raspberry (unless you meant to run the remote VPN server on it).
Configure and run VPN server on dd-wrt - and try connectivity by connecting clients. Both tun/tap should work in general (with VPN client running). I tested with tun.
Configure and run VPN client on dd-wrt and try connecting to your VPN server. By default, the router should start directing all traffic (for its own LAN clients) via the VPN server.
So far so good.
The problem comes when you want dd-wrt's VPN clients (and not just LAN clients) to take the same route. With a VPN client running on dd-wrt, dd-wrt's own VPN clients will not be able to connect to the VPN server running on dd-wrt as such. To make it work, see below.
This is only possible via PBR - i.e. you run VPN client on dd-wrt, but take the router itself off this client, and route only specific clients through this VPN client running on dd-wrt.
With some tweaks using subnet masks, it is possible to include all your LAN and VPN IPs in the PBR policy so that everything (except the router itself) routes through the remote VPN server.
The key is to include dd-wrt's VPN clients' virtual IPs in the PBR. While configuring VPN server on dd-wrt, there is a field for specifying the clients' network and netmask.
If you use this network IP and netmask in client process's PBR policy, your (dd-wrt's) VPN clients will be able to connect to the VPN server running on dd-wrt, and will in turn be routed through the remote VPN server to which dd-wrt is connected as a client.

customize mikrotik hotspot firewall rules

I have a router os installed on a virtual server, with 3 interfaces:
lan-192.168.1.1/24
wan-192.168.2.1/24
wifi-192.168.3.1/24
I have a PPOE client to connect over WAN to ISP and get static public IP
x.x.x.x
I have a windows server with DNS, HTTP services on LAN interface, and 1 wireless access point on WIFI interface.
I have created rules for block incoming connection from internet, except 80,53,...
I have created dst-nat from my public IP x.x.x.x to local server IP.
Another dst-nat from LAN to server LAN IP address.
Also SRC NAT to masqurade, LAN and WIFI connections to server.
Another SRC-NAT masqurade for access internet.
Also mikrotik DNS service used to get records and catch from my local server DNS service.
All things work good, until, I want create hotspot service on WIFI interface.
dynamic firewall filters and NATs destroy all things work.
Scenario is access WIFI users to internet by authentication and access local server locally and free.
Also internet access for lan users free.
Also public web access to my server from internet.
Thanks in advance!
NOTE: Skip to TLDR if you just want the direct answer.
This configuration has been made far more complicated than necessary. I'm going to write this up from memory because I don't have an unused router handy at the moment, but this should work.
I'm going to make some assumptions here:
You do not want anyone from the WAN or PPPoE to be able to reach your LAN.
You don't want anyone from the WIFI to be able to reach your LAN except for HTTP or DNS.
You FULLY intend to circle back once everthing is working and ENABLE HTTPS on your server. THIS IS IMPORTANT!!!
First, set up everything to work without restriction. No rules except for a single masquerade entry. You want to masquerade all traffic NOT destined for 192.168.0.0/16. This rules is all you will need. the DST-NAT rules are unnecessary unless you want to provide service to traffic on the PPPoE interface.
Next, add the following firewall rules under the FORWARD chain:
ACCEPT all Established and all Related traffic (no other restrictions).
ACCEPT FROM 192.168.3.0/24 TO TCP 80,53,443 destined for your Windows Server IP address.
ACCEPT FROM 192.168.3.0/24 TO ICMP destined your Windows Server IP address.
ACCEPT FROM 192.168.1.0/24 TO !192.168.0.0/16. This allows Internet access for the LAN.
ACCEPT FROM 192.168.3.0/24 TO !192.168.0.0/16. This allows Internet access for the WIFI.
DROP everything else.
Make sure everything still works. These basic rules will give you at least some protection on your LAN from random people connecting to your WIFI. This way, if you ever disable your Hotspot to allow unrestricted access through your Wifi, you're LAN is still protected.
* TLDR *
Now you can set up your hotspot. The most important part is on your Walled Garden IP list tab, under IP -> Hotspot. You must add entries here allowing access to whatever servers you want to function before someone logs on, specifically your server's HTTP, DNS, etc services. The Hotspot will translate these into automatically-created firewall rules for you.
Finally, I would remiss if I didn't tell you that this is not a complete firewall setup, and there's all sorts of stuff that can go wrong here if things are not implemented properly. My email is in my profile here if you are interested in paid assistance.

Squid proxy: Hide IPs of LAN to not allow remote desktop for non LAN systems

I want to hide our internal LAN IP's(static IPs) behind squid proxy. I have done configuration, now all the traffic are going through squid proxy only. What I assume that after I configure squid no one from outside of our LAN could not able to remote desktop to any local LAN systems, but it is not working as I thought of. I am able to do remote desktop from out side after I configure Proxy server LAN but I shouldn't. what would be the problem, should I do something else with squid? or squid can't do what I want? If not is there any other technology could satisfy my requirement?
My requirement is No one should do remote desktop from outside to our LAN's system. If someone want to do remote desktop to our LAN's system they should be connected over secure connection. we are thinking about LDAP to make secure connection. other then secure connection nothing should be allow.
I hope that am able to explain what I want.
Additional info:
I am using Mikrotik router(final gateway) for our LAN.
Traffic are pass over proxy server which is also connected in our LAN.

When is port forwarding necessary?

I've been investigating networking for use in a two-player game I'm writing, and I'm still not clear on when a device must have a port forwarded in order to communicate with the outside world.
From what I've seen in other games, port forwarding is always required in order to host a server, but is not required on the client. In addition, there are other situations, such as skype (which, to my understanding is ultimately client to client), where neither end must forward a port.
So my question is, in over-the-Internet communication, when is and isn't port forwarding necessary, and what steps can i take as a developer to make it so my users don't have to worry about it? Thanks in advance!
Port forwarding is needed when a machine on the Internet needs to initiate a connection to a machine that's behind a firewall or NAT router. If the connection is initiated by the machine behind the firewall, the firewall/router automatically recognizes the reply traffic and sends it to the machine that opened the connection.
But if a packet arrives on the external interface, and it's not a part of such a connection, the router needs to know what to do with it. By default, it will reject it. But if forwarding is configured for the port, that tells it what internal machine to send it to.
Put another way: you need port forwarding if you want to run a server behind the NAT firewall/router, you don't need it if you're just running a client.
There is reason why Skype don't (not always) need manual setting of port forwarding:
When you install Skype, a port above 1024 is chosen at random as the
port for incoming connections. You can configure Skype to use a
different port for incoming connections if you wish, but if you do,
you must open the alternative port manually.
If the port chosen for incoming connections becomes unavailable, by
default ports 80 and 443 will be used as alternatives. If another
application (such as Apache HTTP server or IIS) uses these ports, you
can either configure the application to use other ports, or you can
configure Skype to not use these ports.
Port forwarding is must if you host a server.
You can use same technique as Skype...
I am not sure if there is any other option...
Port forwarding (occurs) when a NAT, firewall or some other device blocks communication on all or some ports.
To answer your question as an example, most commercial routers use NAT to allow multiple people to use the same IP(As view from the outside world) provided by ISPs. Most ISP's use NAT to allow multiple customers to use the same IP(As viewed from the outside world). To get this to work, the NAT changes the internal IP and the port number of a communication to THE(there is only one for the entire sub network) external IP and a new port number. By doing this, the router/isp/ect can tell which internal IP and port each external communication goes to.
Anytime one of the computers communicating over the internet are behind a NAT, port forwarding is required. I'm sure there are way more situations than this, and the solution to each can be quite complicated. But this covers the vast majority.

Qt SSL server only visible in the local network

I have a working SSL server implementation, but the problem is that the server is visible only for devices in my local network, and can't be accessed from outside.
Is this a common problem for servers, or have I done something wrong? Could it be my Linux distribution limiting the visibility?
Best regards,
Rat
If you are behind a NAT firewall which most modem/router/switch all-in-one boxes use, then you will need to set up port forwarding on the router.
Port forwarding allows an incoming connection on a port on the WAN side of the modem/router to get forwarded to a LAN computer.
See http://portforward.com/ for help setting up port forwarding.

Resources