Welcome to the MacNN Forums.

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

You are here: MacNN Forums > Enthusiast Zone > Networking > AFP, VPN, and Firewall

AFP, VPN, and Firewall
Thread Tools
wrambro
Forum Regular
Join Date: Jan 2007
Location: Wisconsin
Status: Offline
Reply With Quote
May 7, 2010, 04:24 PM
 
Hey all,
So I'm currently setting up a small network which basically has only 2 requirements: security and AFP, and that is it (no DNS, DHCP, Open Directory, nothing). I have both VPN and AFP set up and working, so that's out of the way. The VPN assigns a static IP based on a subset of IPs set aside for just that purpose (all the other computer on the network have their own static IPs as well, say in the 123.45.67.x subnet). Remote computers can also connect to both AFP and VPN as well.

What I'm currently trying to do is set up the firewall to ensure that users are on a secure connection before connecting to AFP. That is, wired users on the local subnet have full access to the server; but anything not with a 123.45.67.x IP must connect using VPN before they can connect to AFP.

I set up the firewall so that the 123.45.67.x group would have full access, and any other IP would only have access to the VPN, thinking that once they are assigned an IP by the VPN, they would have access to all services. But the firewall seems to be allowing/blocking traffic based on the remote IP rather than the internal IP (which I'm sure is the proper way to do it, but not what I was hoping).

So is there any way I can set up the firewall to give complete access to remote users with VPN-assigned IPs?
     
besson3c
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
May 7, 2010, 10:18 PM
 
Sounds like the VPN is not configured to route all VPN traffic through the private VLAN, but simply add the machines to the VLAN as an additional interface leaving the default route the usual gateway IP. You'd have to reconfigure your VPN to do as I've described, if I'm understanding you correctly, but in doing so you force all of your users to utilize the bandwidth and resources of the network your VPN resides on.

Why not ditch AFP and go with SSHfs? you'll have your security via the secure tunnel (not to mention better performance), and you can also setup per user access control.
     
wrambro  (op)
Forum Regular
Join Date: Jan 2007
Location: Wisconsin
Status: Offline
Reply With Quote
May 8, 2010, 01:33 AM
 
Thanks besson, I suspected it might be something with how I set up the VPN but wasn't exactly sure what. I'll try and reconfigure it and see what happens. But if I do set up the VPN this way, would these firewall settings be appropriate for what I'm trying to accomplish??

And I did consider SSHfs, but did not use it for several reasons--the main reason being I won't be around to administer the server once I'm done setting it up, so I need to use something that is easy to manage using Server Admin (sorry, forgot to mention I'm using OS X Snow Leopard Server on a Mac Mini). The person who will be overseeing the server will exclusively use GUI tools, so thats kind of a limitation with setting up new machines, troubleshooting, etc.

This server is used exclusively as a centralized file server. And I set up the VPN to ensure that all file transfers between the server and outside connections are encrypted. So if there is a better way to accomplish this that can also be managed using the GUI server admin tools in OS X, I'm open to hearing it.
     
besson3c
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
May 8, 2010, 02:29 AM
 
I don't think what I wrote originally was completely accurate, let me try again...

You can setup your VPN so that the connecting machine simply joins the private VLAN created by the VPN, and this interface is simply an additional interface used by the machine. You can also setup the VPN so that all traffic is tunneled through this interface. However, I don't think this is completely relevant to you after all...

Once the VPN connection is established, the server you want the clients to connect to has to also be available on this same subnet. To do this the server should also be connected to the VPN so that it is a part of this network. All machines connected to the VPN and assigned a private IP can be configured so that they can communicate with one another, this is what you want.

So, say your setup is:

10.0.1.1 = AFP server
10.0.1.2 = client 1
10.0.1.3 = client 2

then, with the proper configuration, 10.0.1.2 and 10.0.1.3 should be able to contact the AFP server. In this case you want to firewall all traffic on the AFP port 548 (I think) to only be permitted by this private VLAN. VPN connections on whatever port your VPN uses should be open to the public IPs you want to connect to your VPN server.

You'll want to setup the server with a sticky IP address so that it is always accessible via the same private IP. You can also setup DNS entries so that, say, myafpserver.mydomain.com resolves to 10.0.1.1 so that you can give your clients this DNS name.

I'm not exactly sure what you mean by "outside connections being encrypted"? Basically, all traffic over the VPN will be encrypted, but once it leaves the VPN traffic is not encrypted unless this communication is handled via a separate SSH tunnel.
     
wrambro  (op)
Forum Regular
Join Date: Jan 2007
Location: Wisconsin
Status: Offline
Reply With Quote
May 8, 2010, 10:42 AM
 
Will the server be able to connect to itself via VPN? It hadn't occurred to me to try that. After all, the VPN and AFP are on the same machine, so it's not like I have a file serving machine connecting to a hardware VPN.

Originally Posted by besson3c View Post
I'm not exactly sure what you mean by "outside connections being encrypted"? Basically, all traffic over the VPN will be encrypted, but once it leaves the VPN traffic is not encrypted unless this communication is handled via a separate SSH tunnel.
All I meant by this was that since file transfers over AFP are not encrypted, I used VPN to create an encrypted tunnel for these file transfers to go through when a user is on a remote connection. However, if traffic over AFP is encrypted, then this is all moot. But to my knowledge, only authentication is encrypted.
     
besson3c
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
May 8, 2010, 02:04 PM
 
Originally Posted by wrambro View Post
Will the server be able to connect to itself via VPN? It hadn't occurred to me to try that. After all, the VPN and AFP are on the same machine, so it's not like I have a file serving machine connecting to a hardware VPN.
The server needs to have a network interface on the same private subdomain so that it can reach other machines on the same subnet. Can you ping other machines connected to the VPN? You may or may not have to connect the server itself to the VPN, it depends on how the VPN is implemented. If you can ping other machines connected to the VPN you shouldn't have to do this though.

All I meant by this was that since file transfers over AFP are not encrypted, I used VPN to create an encrypted tunnel for these file transfers to go through when a user is on a remote connection. However, if traffic over AFP is encrypted, then this is all moot. But to my knowledge, only authentication is encrypted.
This is one reason why I suggested SSHfs. On the server end you simply enable SSH, very easy. The client end is where things can get a little more complicated in establishing connections.

You're right, only auth is encrypted, unless you manually start your own SSH tunnel or use something like stunnel.
     
wrambro  (op)
Forum Regular
Join Date: Jan 2007
Location: Wisconsin
Status: Offline
Reply With Quote
May 9, 2010, 06:24 PM
 
From the server, I can ping connected computers only by their remote IP, not by the VPN-assigned local IP. When I try that, I get

ping: sendto: Permission denied
Request timeout for icmp_seq 'x'

I can also ping the server from each workstation. I can also ping other workstations from a given workstation using the remote workstation's IP as well as the VPN-assigned IP.

My VPN is set up as follows: lets say the server has an IP address of 192.168.0.50. The VPN I have set up is an L2TP over IPsec, which distributes static IPs between 192.168.0.11 and 192.168.0.25. PPP Authentication via MS-CHAPv2 and IPSec authentication via Shared Secret. The 3 DNS servers associated with the VPN are 192.168.0.50, 192.168.254.254, and xxx.xxx.254,254 (just another DNS).

When I try to connect the server to it's own VPN, I get no response (which I'm not surprised by). But I am still kind of stumped.
     
besson3c
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
May 9, 2010, 10:31 PM
 
Well, if you want to require the VPN to allow connectivity to your AFP server, you are going to have to modify the VPN config to allow connectivity between machines on your VLAN.

I don't use OS X Server so I don't know what you'd have to do in the GUI to do this.
     
   
Thread Tools
 
Forum Links
Forum Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Top
Privacy Policy
All times are GMT -4. The time now is 02:47 AM.
All contents of these forums © 1995-2017 MacNN. All rights reserved.
Branding + Design: www.gesamtbild.com
vBulletin v.3.8.8 © 2000-2017, Jelsoft Enterprises Ltd.,