Sunday, June 29, 2008
Finally Cured My Home NAT Pain
Although in the past I've run into issues (on the job) where NAT (or multiple webs proxy chains) made troubleshooting connectivity issues difficult, closer to home my crappy WRT54Gv5 (VxWorks based, I believe which unlike the older Linux 54g's does not allow you to disable NAT) has not only obscured my wireless activity but made access controls difficult. Although I had a Nessus scanner running on the WLAN segment all the PVS data was obscured by the router.
I'm sure there are probably ways I could use different username/password combinations with Squid to provide limited access to my kids computers and full access to anything else, but I'm a bit lazy and its a painful enough just to keep changing the proxy configs on the laptops my wife uses.
So I was about ready to order an Honest to God AP so I could finally get useful PVS data, until I finally realized I had a perfectly good 851w sitting in the closet. I've always found wireless painfully difficult to configure on this router. I think the problem which I finally overcame last night, was configuring a subinterface on the radio interface which the right VLAN, but that is probably worth a separate blog. With ACLs on the 851 only allowing DNS (the Debian dnsmasq package works great) and TCP/3128 to the firewall. I know can distinguish distinguish my kids browsing habits. Not that it is hard. As you can see from the squidview screenshot my daughter is playing dragontales games on pbskids.org. What's the harm in opening up all the entire .gov domain, anyway?
This week I'll span the 851's WAN port on my 2940 and plop in a PVS sensor and I'll have even better visibility!