On Sun, 2004-08-01 at 14:57, Charlie Bullen wrote:
> Hi I need to access a windows XP box that is behind a linux firewall and
> a linksys wireless access point, also acting as a firewall.
>
> Proir to adding the wireless access point here is what worked. First I
> established an ssh tunnel to the linux firewall with port 3389 on my
> local machine forwarded to port 3389 on the XP box. I then launced
> rdesktop pointing it to local host, which took me through the ssh tunnel
> to the XP box. Worked great. (running redhat 9.0 on my local computer)
>
> I have changed my configuration a bit now. The lan side of the linux
> firewall is at 192.168.240.1. It is doing DHCP, handing out addresses in
> the range 192.168.240.60 - 69. My linksys wireless access point gets its
> wan side IP address from the linux box. The lan side of the access point
> is 192.168.240.11, it does not do DHCP. The boxes inside the linksys
> have static address in the range 192.168.240.20 - 29. I have restricted
> access to the wireless access point to only computers identified by
> their IP and MAC addresses.
>
> The specific box I need to access remotely is 192.168.240.22. I have
> changed my ssh command to the following :
>
> ssh -l charlie 209.250.xxx.xxx -L 3389:192.168.240.22:3389 .
>
> In addition I have set up a rule in the wireless access point to direct
> any traffic on port 3389 to IP address 192.168.240.22.
>
> Unfortunatly, this doesn't work at all. In fact when I simply ssh into
> the linux box I can't even see the wireless access point or any boxes
> inside. All of the boxes inside the wireless access point can see each
> other and can access the internet, but none can see the linux box.
>
> Any ideas would be appreciated. I am needing a secure solution that
> would still let me get to the XP box remotely.
----
I am not entirely clear on what is going on here but I know what I would
probably do in this scenario.
First, I'm not sure I would be trying to port RDP through ssh. I tend to
use older/slower computers as routers/firewalls and would want
encryption done by the faster workstations, and thus only subject those
systems to the slowdown of encryption.
I haven't completely studied the methodology of RDP (shoot me) but I
suspect like most other VPN protocols, it uses UDP, not that this is
significant. If you are forwarding for this protocol, you probably need
to make sure you forward UDP or both UDP and TCP.
As per my first point, I tend to set up Microsoft Terminal Services to
require 'high encryption' and trust the Microsoft encryption (shoot me
again). Where I am in control of the firewall, I mangle the inbound port
- i.e. 33389 in the public ip port forwards to 3389 on the internal lan.
Where I think you are going wrong in your description above though,
probably has nothing to do with what I have touched on yet. The problem
I think that you are having is that you are trying to use the Linksys
Wireless router in a bridging mode - and as such, the Wireless router
should just simply work. I don't think that the Wireless router should
be doing any type of NAT or forwarding at all in bridging mode.
thus...
192.168.240.1 <linux firewall>
|
192.168.240.11 <wireless router in bridging mode>
|
_|____________________________
| |
192.168.240.22 <winXP> 192.168.240.23 <who knows>
Again, in bridging mode, there shouldn't be any need to NAT or forward
packets. You should be able to sit at the console of the linux firewall
(192.168.240.1) and able to ping the winXP (192.168.240.22) and vice
versa. The only things that will prevent this from working are:
a - firewall on either
b - improperly configured Linksys router. My Linksys Wireless G router
has a 'gateway' mode (this is the default) and a router mode, which is
what I think you need to set.
Once you can ping between them, you should be able to create other
connections.
Craig
---------------------------------------------------
PLUG-discuss mailing list -
PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss