OK I got my first 450G up and running. Basically using it as a pumped up home/SOHO all in one router, WAN IP on ether1-gateway and LAN on bridged ether2-5. I set up a hotspot on it, do user accounting with userman, and I use the integrated web proxy on port 8080 to transparently do some filtering and blocking (not caching) for the hotspot authenticated clients (while unauthenticated clients get no access at all). All that seems to be working fine, but I have a few specific questions/issues.
1) What in the world does the "transparent proxy" tick box in the hotspot user profiles do? The documentation is very vague and I found no post explaining this clearly. The way I got my transparent filtering/blocking proxy to work is by setting up a rule in the NAT pre-hotspot firewall table, redirecting packets originating from the LAN with dst-port 80 to dst-port 8080 (which the integrated proxy listens on). But then, what does the "transparent proxy" tick box do? I can see no firewall rule added when I tick it.
2) I can't get ssh to work from the WAN side. The ssh service is running on port 22. User and key are defined. I can ssh from the LAN when authenticated in the hotspot. I also set up a rule in the walled garden ip, and I am able to connect from the LAN even if I am not authenticated in the hotspot. To connect from the WAN side, I set up a rule in the input table to accept all connections (for testing purposes, I will harden that later) with dst-port 22 on ether1-gateway. But this does not work. I keep getting connection timeout or connection refused, depending on which ssh client I use and the counter on the firewall rule obstinately sticks to zero. I know for a fact that the isp does not block this port, because if I disconnect the 450G and plug my old dd-wrt linksys back, then I can ssh into it from the WAN side. Do the hotspot NAT rules somehow interfere with this? I tried to add a "return" static entry at the end of the hs-unauth NAT table if dst-port 22 is matched on interface ether1-gateway (similar to the dynamic entries added by the walled garden on the LAN side). Still no luck. I can't think of anything else now. I can't get at the router just now but I will post the config later. Anyone else had similar issues?