I suppose I should add:
I originally intended to use the router the "other way around", with the wireless AP connected to the WAN side, and have the router block all ports except SSH and VTUN -- forwarding just those two to the internal LAN's Linux server/router.
In fact, that's how it was originally configured. But two problems with this:
(1) script kiddies can play nasty games with their IP addresses on the wireless segment, requiring more care on my part to ensure that the LAN servers don't get fooled. This could be fixed with special routing table entries in the cheap router, I suppose, similar to what I did in the final solution. But..
(2) The cheap router seems to have a 64KByte/sec bandwidth limit for WAN->LAN port forwarding. This was unacceptibly slow.
Reversing the setup, so that the wireless AP was now on the LAN side, resulted in packets following the better optimized (oddly enough) NAT path of the cheap router.
Bandwidth to/from my internal server via the encrypted tunnels and 128-bit WEP AP now maxes out at just under 3Mbits/sec, which is reasonable for a theoretical 11Mbit/sec physical radio medium.
Cheers
Previous Topic
Index
