3vmike Posted August 27, 2008 Share Posted August 27, 2008 Here's the issue I have a mobile device that roams throughout the network. Each location is it's own subnet. Internet access in provided by a central firewall running astaro. I need to give my mobile device un-hindered access to the internet. I am the network administrator, however astaro does not let me specify a mac address as a device to give access to. I can specify a static IP for my device, however each location within the wan has a local router that communicates through verizon's switched ethernet. So when I specify a static IP for my device I can't communicate with the local router because I would have to change the DG for every location. I need the astaro firewall to authenticate my device's mac address and forward the IP traffic. Any help would be great! Thanks, 3v Quote Link to comment Share on other sites More sharing options...
VaKo Posted August 27, 2008 Share Posted August 27, 2008 I've never heard of astro myself but would a VPN not work? Your mobile device connects from where ever it is to a box inside your firewall, which has a static IP and is allowed external network access. As long as you don't have any internal firewalls and the routes all work correctly this is what I would try first. Quote Link to comment Share on other sites More sharing options...
3vmike Posted August 29, 2008 Author Share Posted August 29, 2008 Yes, true I could simply vpn into a box with a static nat out to the internet. However I'm looking for a way to pipe internet access directly to the mobile device. I would rather not rely on a physical machine. Rather it would be nice to setup a rule that allows a device to connect to the internet by Mac address rather than IP address, I have a call into Astaro about that, but they haven't gotten back to me. Quote Link to comment Share on other sites More sharing options...
SupaRice Posted September 6, 2008 Share Posted September 6, 2008 Proxy , or some sort of Proxy Mobile IP ? You could create a seperate SSID or seperate VLAN which only you would have access to at each site. Then give each a smaller piece of a larger block of IP space that is unique to the entire network. Then allow that larger block unrestricted access through the firewall. For example: 10.1.1.0/24 allowed in the firewall Then: Site A would be 10.1.1.0 /30 Site B would be 10.1.1.4 /30 Site C would be 10.1.1.8 /30 etc... A /30 will leave you 2 addresses, one for your machine and one for the gateway. I think you'd have to explain your topology more to know about allowing by MAC address. In a traditional WAN, the internet gateway wouldn't see the MAC address of a device if it were a layer 3 hop away. Quote Link to comment Share on other sites More sharing options...
3vmike Posted September 7, 2008 Author Share Posted September 7, 2008 the internet gateway wouldn't see the MAC address of a device if it were a layer 3 hop away. That may indeed be the center of the problem. Each site is seperated by a cisco router that connects to verizon's switched ethernet cloud. So in fact I don't think that the Astaro firewall will be able to see the mac address of any device not on the same lan. Bloody Hell... i suppose this is going to be much more work than I had hoped heheh. Quote Link to comment Share on other sites More sharing options...
ret Posted September 8, 2008 Share Posted September 8, 2008 why not place a dhcp reservation in each location for your device and create an allow all ruleset for said IP's?? Quote Link to comment Share on other sites More sharing options...
3vmike Posted September 8, 2008 Author Share Posted September 8, 2008 why not place a dhcp reservation in each location for your device and create an allow all ruleset for said IP's?? Yeah that's what I have setup now, just trying to think outside the box and simplify things. Quote Link to comment Share on other sites More sharing options...
ret Posted September 9, 2008 Share Posted September 9, 2008 Yeah that's what I have setup now, just trying to think outside the box and simplify things. ok then, how bout this..... if you are using a wan link between sites (your ethernet "cloud" im assuming is mpls) you could place all of the AP's on the same VLAN and assign addresses from a central server. your device, when going from site to site can have a static IP assigned. problem solved..... I have about 27 sites with cisco wireless AP's. we have all the users obtain addresses from a /21. the ports on the switches are on a segregated vlan with some creative ACL's for security. anyhow, let me know how it works out for ya. Quote Link to comment Share on other sites More sharing options...
Swathe Posted September 9, 2008 Share Posted September 9, 2008 why not place a dhcp reservation in each location for your device and create an allow all ruleset for said IP's?? Yeah that is what I'm using atm with Colubris AP's. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.