Unique Network Questons

[3vmike]

Here's the issue

I have a mobile device that roams throughout the network. Each location is it's own subnet. Internet access in provided by a central firewall running astaro. I need to give my mobile device un-hindered access to the internet. I am the network administrator, however astaro does not let me specify a mac address as a device to give access to. I can specify a static IP for my device, however each location within the wan has a local router that communicates through verizon's switched ethernet. So when I specify a static IP for my device I can't communicate with the local router because I would have to change the DG for every location.

I need the astaro firewall to authenticate my device's mac address and forward the IP traffic.

Any help would be great!

Thanks,

3v

[VaKo]

I've never heard of astro myself but would a VPN not work? Your mobile device connects from where ever it is to a box inside your firewall, which has a static IP and is allowed external network access. As long as you don't have any internal firewalls and the routes all work correctly this is what I would try first.

[3vmike]

Yes, true I could simply vpn into a box with a static nat out to the internet. However I'm looking for a way to pipe internet access directly to the mobile device. I would rather not rely on a physical machine. Rather it would be nice to setup a rule that allows a device to connect to the internet by Mac address rather than IP address, I have a call into Astaro about that, but they haven't gotten back to me.

[SupaRice]

Proxy , or some sort of Proxy Mobile IP ?

You could create a seperate SSID or seperate VLAN which only you would have access to at each site. Then give each a smaller piece of a larger block of IP space that is unique to the entire network. Then allow that larger block unrestricted access through the firewall.

For example:

10.1.1.0/24 allowed in the firewall

Then:

Site A would be 10.1.1.0 /30

Site B would be 10.1.1.4 /30

Site C would be 10.1.1.8 /30

etc...

A /30 will leave you 2 addresses, one for your machine and one for the gateway.

I think you'd have to explain your topology more to know about allowing by MAC address. In a traditional WAN, the internet gateway wouldn't see the MAC address of a device if it were a layer 3 hop away.

[3vmike]

the internet gateway wouldn't see the MAC address of a device if it were a layer 3 hop away.

That may indeed be the center of the problem. Each site is seperated by a cisco router that connects to verizon's switched ethernet cloud. So in fact I don't think that the Astaro firewall will be able to see the mac address of any device not on the same lan.

Bloody Hell... i suppose this is going to be much more work than I had hoped heheh.

[ret]

why not place a dhcp reservation in each location for your device and create an allow all ruleset for said IP's??

[3vmike]

why not place a dhcp reservation in each location for your device and create an allow all ruleset for said IP's??

Yeah that's what I have setup now, just trying to think outside the box and simplify things.

[ret]

Yeah that's what I have setup now, just trying to think outside the box and simplify things.

ok then, how bout this.....

if you are using a wan link between sites (your ethernet "cloud" im assuming is mpls) you could place all of the AP's on the same VLAN and assign addresses from a central server. your device, when going from site to site can have a static IP assigned.

problem solved.....

I have about 27 sites with cisco wireless AP's. we have all the users obtain addresses from a /21. the ports on the switches are on a segregated vlan with some creative ACL's for security. anyhow, let me know how it works out for ya.

[Swathe]

why not place a dhcp reservation in each location for your device and create an allow all ruleset for said IP's??

Yeah that is what I'm using atm with Colubris AP's.